Kubernetes Security Series – Episode 1

Securing Pods with Pod Security Policies (PSPs) In this blog, we’ll cover:

• What PSPs are

• Common pitfalls for beginners

• How to prevent misconfigurations

1️⃣What Are Pod Security Policies?

• PSPs are cluster-level rules that define what pods can and cannot do.

• They help prevent risky actions like:

  • Running pods as root

  • Using host networking or privileged containers

  • Accessing node resources unnecessarily

How it works:

Pod Deployment Request → Kubernetes API Server → PSP Check → Pod Allowed / Denied

2️⃣ Common Mistakes in Smaller Clusters

Without PSPs or proper configurations, common mistakes include:

1. Not blocking host networking

   This can expose the node’s network to pods, increasing the attack surface.

2. Deploying pods with default privileges

   Running as root or with elevated privileges can lead to privilege escalation.

3. Allowing privileged containers

   Increases risk of breaking pod isolation and accessing node resources.

4. Using unverified volumes or host paths

   Could allow pods to access sensitive files or system directories.

3️⃣ Step-by-Step Guidance

Even without advanced identity tools, you can enforce these practices safely:

1. Enable Pod Security Admission (PSA) or PSP in your cluster

2. Create a restricted PSP to enforce:

   • Non-root users

   • No privileged containers

   • No host networking / IPC / PID

3. Assign PSPs via RBAC to teams or roles

4. Test deployment with compliant and non-compliant pods

5. Monitor pods continuously for deviations

Kubernetes PSP Checklist - Structure

 Key Takeaways

• PSPs or Pod Security Admission are essential for cluster security.

• Even beginners can avoid common mistakes by enforcing non-root policies, blocking host networking, and restricting privileges.

• Using a checklist helps teams maintain ongoing compliance and reduces risk.