The Hitchhiker's Guide to Pod Security


Authors:   Lachie Evenson


The presentation discusses the importance of pod security in Kubernetes clusters and how it can be used to improve the security of workloads. It also covers the migration from pod security policy to pod security.
  • Pod security is a built-in admission controller in Kubernetes that evaluates pod specifications against a predefined set of pod security standards.
  • It provides policy standards to restrict pod privileges, reducing the surface area of attacks and making the cluster more secure.
  • Pod security is simple and easy to use, with pre-defined standards that align with Kubernetes security best practices.
  • Pod security policy, which is being deprecated, can be migrated to pod security using a well-defined process.
  • Pod security does not support mutation, which is the ability to change Kubernetes resources server-side.
The speaker emphasizes the importance of pod security by stating that they do not want to see a talk at kubecon next year about how pod security ruined someone's life. They also mention their love for travel and experiencing different cultures, and their goal of learning seven languages while on earth.


With the release of Kubernetes v1.23, Pod Security admission has now entered beta. Pod Security is a built-in admission controller that evaluates Pod specifications against a predefined set of Pod Security Standards and determines whether to admit or deny the pod from running. Pod Security is the successor to PodSecurityPolicy which was deprecated in the v1.21 release, and will be removed in Kubernetes v1.25. In this presentation I cover the key concepts of Pod Security along with how to use it walking through practical examples. Through education of this new security focused API I hope that cluster administrators and developers alike will use this new mechanism to enforce secure defaults for their workloads.Click here to view captioning/translation in the MeetingPlay platform!