PodSecurityPolicy Replacement: Past, Present, and Future

Lessons learned from developing Pod Security Admission in Kubernetes

• Big decisions have a life cycle and require a shared understanding of the problem and potential solutions
• Technical decisions involve feelings and exploring big questions together in a more informal setting can help build consensus
• Pod Security Admission was developed based on end user experiences and with consideration for other options available
• Collaboration and coordination between SIG Security and SIG Auth led to a prototype that combined the strengths of two competing proposals
• There is room for improvement in the documentation and migration from PSP

The development of Pod Security Admission involved collaboration and coordination between SIG Security and SIG Auth, as well as consideration for end user experiences and other available options. The process required building consensus and exploring big questions together in a more informal setting, as technical decisions involve feelings. The result was a prototype that combined the strengths of two competing proposals and addressed the pain points of end users. However, there is still room for improvement in the documentation and migration from PSP.

Join two of the maintainers leading the PSP replacement effort for a welcoming, accessible discussion of PodSecurityPolicy and its built-in replacement, Pod Security Admission Control. They’ll cover how to tell whether PSP deprecation affects you, the meaning of deprecation in Kubernetes, and steps you can take today to ease your eventual transition off of PSP. You’ll hear guidelines for considering the new Pod Security Admission Control, learn how to try it out yourself, and even enjoy a little bit of Kubernetes storytelling.