Mapping PodSecurityPolicies to Pod Security Standards
The tables below enumerate the configuration parameters on PodSecurityPolicy
objects, whether the field mutates and/or validates pods, and how the configuration values map to the Pod Security Standards.
For each applicable parameter, the allowed values for the Baseline and Restricted profiles are listed. Anything outside the allowed values for those profiles would fall under the Privileged profile. “No opinion” means all values are allowed under all Pod Security Standards.
For a step-by-step migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
PodSecurityPolicy Spec
The fields enumerated in this table are part of the PodSecurityPolicySpec
, which is specified under the .spec
field path.
PodSecurityPolicySpec | Type | Pod Security Standards Equivalent |
---|---|---|
privileged | Validating | Baseline & Restricted: false / undefined / nil |
defaultAddCapabilities | Mutating & Validating | Requirements match allowedCapabilities below. |
allowedCapabilities | Validating | Baseline: subset of
Restricted: empty / undefined / nil OR a list containing only |
requiredDropCapabilities | Mutating & Validating | Baseline: no opinion Restricted: must include |
volumes | Validating | Baseline: anything except
Restricted: subset of
|
hostNetwork | Validating | Baseline & Restricted: false / undefined / nil |
hostPorts | Validating | Baseline & Restricted: undefined / nil / empty |
hostPID | Validating | Baseline & Restricted: false / undefined / nil |
hostIPC | Validating | Baseline & Restricted: false / undefined / nil |
seLinux | Mutating & Validating | Baseline & Restricted:
|
runAsUser | Mutating & Validating | Baseline: Anything Restricted: |
runAsGroup | Mutating (MustRunAs) & Validating | No opinion |
supplementalGroups | Mutating & Validating | No opinion |
fsGroup | Mutating & Validating | No opinion |
readOnlyRootFilesystem | Mutating & Validating | No opinion |
defaultAllowPrivilegeEscalation | Mutating | No opinion (non-validating) |
allowPrivilegeEscalation | Mutating & Validating | Only mutating if set to Baseline: No opinion Restricted: |
allowedHostPaths | Validating | No opinion (volumes takes precedence) |
allowedFlexVolumes | Validating | No opinion (volumes takes precedence) |
allowedCSIDrivers | Validating | No opinion (volumes takes precedence) |
allowedUnsafeSysctls | Validating | Baseline & Restricted: undefined / nil / empty |
forbiddenSysctls | Validating | No opinion |
allowedProcMountTypes (alpha feature) | Validating | Baseline & Restricted: [“Default”] OR undefined / nil / empty |
runtimeClass .defaultRuntimeClassName | Mutating | No opinion |
runtimeClass .allowedRuntimeClassNames | Validating | No opinion |
PodSecurityPolicy annotations
The annotations enumerated in this table can be specified under .metadata.annotations
on the PodSecurityPolicy object.
PSP Annotation | Type | Pod Security Standards Equivalent |
---|---|---|
seccomp.security.alpha.kubernetes.io /defaultProfileName | Mutating | No opinion |
seccomp.security.alpha.kubernetes.io /allowedProfileNames | Validating | Baseline: Restricted:
|
apparmor.security.beta.kubernetes.io /defaultProfileName | Mutating | No opinion |
apparmor.security.beta.kubernetes.io /allowedProfileNames | Validating | Baseline: Restricted:
|