Kubernetes hardening

Pod Security Admission (PSA) for Kubernetes cluster

Kubernetes PSA standards define different isolation levels for pods. The PSA controller is a built-in feature of Kubernetes that enforces pod security standards. Pod security restrictions are applied at the namespace level when pods are created. Pod security standards define three different policies (described below) to broadly cover the security spectrum.

Namespaces can be labelled to enforce the following pod security standards:

• Privileged—unrestricted policy that provides the widest possible level of permissions. This policy allows for known privilege escalations.

• Baseline—minimally restrictive policy that prevents known privilege escalations. Allows the default (minimally specified) pod configuration.

• Restricted—heavily restricted policy that follows current pod hardening best practices.

NSP deploys pods in three namespaces that map to the pod security standards listed above. The namespace labels are configurable from the NSP deployer using attributes defined under the kubernetes section of nsp-config.yml.

Note: Most pods in the NSP cluster are deployed using the restricted pod security standard, however, certain pods require additional privileges and must be deployed with a less restrictive pod security standard.