The Kubernetes Current Blog

Goodbye PodSecurityPolicy, Hello OPA Gatekeeper

Published September 1, 2022

Share in

The recently released version of Kubernetes v1.25 removed the ‘PodSecurityPolicy (PSP)’ capability. The intent behind PodSecurityPolicy (PSP) was to control security-sensitive aspects of pod specifications by defining the requirements that Pods must meet. If the PSP requirements aren’t met, the pod would not be not admitted to the cluster.

PSP however had major usability issues, and a decision was made to remove this capability. Given the importance of the use cases that PSP enabled from a K8s security standpoint, a replacement, ‘Pod Security Admission’ was conceptualized and released as a stable feature in v1.25. More information on this is available here.

One of the challenges that organizations will face because of this transition is the inability to standardize pod security policies across clusters running different K8s versions. As mentioned earlier, Pod Security Admission (PSA) is available as a stable feature only with v1.25 and it will be untenable for organizations to upgrade all clusters to v1.25+ at once. Solutions such as OPA Gatekeeper, Kyverno provides a critical bridge that works across all K8s versions and enables a more practical approach for organizations to manage the lifecycle of K8s clusters. Furthermore, these solutions also offer capabilities that enable organizations to satisfy governance and security requirements beyond just pod security policies.

The challenges that organizations face when implementing a solution such as OPA Gatekeeper at scale across many clusters broadly fall into two categories:

  • Ongoing effort required to maintain a consistent policy configuration for entire fleets of clusters requires significant overhead to create, test, tune, deploy, and verify policies
  • Obtaining feedback and visibility into how clusters are faring against configured compliance policies on an ongoing basis

Rafay’s Kubernetes Operations Platform addresses these challenges helping organizations manage the entire lifecycle for OPA Gatekeeper and altogether remove the need for any continual DIY investment.

Rafay’s turnkey policies can help organizations operationalize OPA Gatekeeper in minutes.
To learn more about OPA Gatekeeper and Rafay, check out our getting started guide and watch our OPA Gatekeeper demo.

If you are ready to leverage the real power of Kubernetes with a platform that provides best-in-class Policy Management capabilities, sign up for a free trial of Rafay today.

Author

Tags:
k8s security policy , kubernetes pod best practices , kubernetes pod security , kubernetes pod security policy , kubernetes privileged container , kubernetes security policy , opa gatekeeper , Pod Security Admission , pod security policy , pod security policy deprecated , podsecuritypolicy

Trusted by leading companies