Use Pod Security Admission in Azure Kubernetes Service (AKS)
Pod Security Admission (PSA) uses labels to enforce Pod Security Standards policies on pods running in a namespace. AKS enables Pod Security Admission is enabled by default. For more information about Pod Security Admission and Pod Security Standards, see Enforce Pod Security Standards with namespace labels and Pod Security Standards.
Pod Security Admission is a built-in policy solution for single cluster implementations. If you want to use an enterprise-grade policy, we recommend you use Azure policy.
Before you begin
- An Azure subscription. If you don't have an Azure subscription, you can create a free account.
- Azure CLI installed.
- An existing AKS cluster running Kubernetes version 1.23 or higher.
Enable Pod Security Admission for a namespace in your cluster
Enable PSA for a single namespace
Enable PSA for a single namespace in your cluster using the
kubectl labelcommand and set thepod-security.kubernetes.io/enforcelabel with the policy value you want to enforce. The following example enables therestrictedpolicy for the NAMESPACE namespace.kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
Enable PSA for all namespaces
Enable PSA for all namespaces in your cluster using the
kubectl labelcommand and set thepod-security.kubernetes.io/warnlabel with the policy value you want to enforce. The following example enables thebaselinepolicy for all namespaces in your cluster. This policy generates a user-facing warning if any pods are deployed to a namespace that doesn't meet the baseline policy.kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
Enforce a Pod Security Admission policy with a deployment
Create two namespaces using the
kubectl create namespacecommand.kubectl create namespace test-restricted kubectl create namespace test-privilegedEnable a PSA policy for each namespace, one with the
restrictedpolicy and one with thebaselinepolicy, using thekubectl labelcommand.kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted kubectl label --overwrite ns test-privileged pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=privilegedThis configures the
test-restrictedandtest-privilegednamespaces to block running pods and generate a user-facing warning if any pods that don't meet the configured policy attempt to run.Attempt to deploy pods to the
test-restrictednamespace using thekubectl applycommand. This command results in an error because thetest-restrictednamespace is configured to block pods that don't meet therestrictedpolicy.kubectl apply --namespace test-restricted -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yamlThe following example output shows a warning stating the pods violate the configured policy:
... Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-back" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-back" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-back" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-back" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") deployment.apps/azure-vote-back created service/azure-vote-back created Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-front" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-front" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-front" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-front" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") deployment.apps/azure-vote-front created service/azure-vote-front createdConfirm there are no pods running in the
test-restrictednamespace using thekubectl get podscommand.kubectl get pods --namespace test-restrictedThe following example output shows no pods running in the
test-restrictednamespace:No resources found in test-restricted namespace.Attempt to deploy pods to the
test-privilegednamespace using thekubectl applycommand. This time, the pods should deploy successfully because thetest-privilegednamespace is configured to allow pods that violate theprivilegedpolicy.kubectl apply --namespace test-privileged -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yamlThe following example output shows the pods deployed successfully:
deployment.apps/azure-vote-back created service/azure-vote-back created deployment.apps/azure-vote-front created service/azure-vote-front createdConfirm you have pods running in the
test-privilegednamespace using thekubectl get podscommand.kubectl get pods --namespace test-privilegedThe following example output shows two pods running in the
test-privilegednamespace:NAME READY STATUS RESTARTS AGE azure-vote-back-6fcdc5cbd5-svbdf 1/1 Running 0 2m29s azure-vote-front-5f4b8d498-tqzwv 1/1 Running 0 2m28sRemove the
test-restrictedandtest-privilegednamespaces using thekubectl deletecommand.kubectl delete namespace test-restricted test-privileged
Next steps
In this article, you learned how to enable Pod Security Admission an AKS cluster. For more information about Pod Security Admission, see Enforce Pod Security Standards with Namespace Labels. For more information about the Pod Security Standards used by Pod Security Admission, see Pod Security Standards.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for