We can enable security settings on a per-Pod basis by setting security context attributes in individual Pod YAML files. However, this approach doesn’t scale, requires developers and operators to remember to do this for every Pod, and is prone to errors. Pod Security Policies offer a better way.

Pod Security Policies are a relatively new feature that allows you to define security settings at the cluster level. We can then apply these to targeted sets of Pods as part of the deployment process. As such, this solution scales better, requires less work from developers and admins, and is less prone to error. It also lends itself to situations where you have a team dedicated to securing apps in production.

Pod Security Policies are implemented as an admission controller, and, in order to use them, a Pod’s serviceAccount must be authorized to use it. Once this is done, their policies are applied to new requests to create Pods as they pass through the API admission chain.

Pod Security Policy example

Let’s finish the chapter with a quick look at an example of a Pod Security Policy that covers many of the points discussed in this chapter as well as some other known secure defaults.

The example is based on an example from the official Kubernetes docs: