* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* How to Manage Kubernetes ...

# How to Manage Kubernetes Pod Security Policy Deprecation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-psp-deprecation%2F)  
[](https://twitter.com/share?text=How+to+Manage+Kubernetes+Pod+Security+Policy+Deprecation&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-psp-deprecation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-psp-deprecation%2F&title=How+to+Manage+Kubernetes+Pod+Security+Policy+Deprecation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-psp-deprecation/&ts=markdown)  
\[\](mailto:?subject=How to Manage Kubernetes Pod Security Policy Deprecation)  
Link copied  
By [Omri Cohen](https://www.paloaltonetworks.com/blog/author/omri-cohen/?ts=markdown "Posts by Omri Cohen")  
Jan 28, 2021  
6 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)

Back in December, the Kubernetes Auth Special Interest Group (AKA [sig-auth](https://github.com/kubernetes/community/tree/master/sig-auth)) [announced its decision](https://github.com/kubernetes/kubernetes/pull/97171) to deprecate the pod security policy (PSP) in Kubernetes version 1.21 and to remove the API completely at version 1.25. This decision could leave many Kubernetes users at risk of being exposed to various exploits. Adversaries may utilize the lack of such policy to run privileged pods, create pods on host namespaces or networks and much more. [Prisma Cloud](https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-compute-edition-aag) customers can mitigate PSP deprecation through the built-in admission controller which utilizes [Open Policy Agent](https://www.paloaltonetworks.com/blog/prisma-cloud/open-policy-agent-support/) (OPA) rules.

## **Some Background**

Pods are the most basic building block of Kubernetes clusters. Since pods are usually the most exposed surface to adversarial attacks, ensuring the security of pods is of the utmost importance. In order to mitigate these concerns, Kubernetes teams decided to provide a built-in mechanism to help users apply a fine-grained security policy to their pods.

## **What Is Pod Security Policy?**

The official definition from [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) says "A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields."

For example, with a PSP defined you can decide:

* Can a pod be created with a privileged container?
* Can a pod that mounts a sensitive host path be created?
* Can a pod that escalates root privileges be created?
* Can a pod be created with host filesystem usages?

## **Why Is It Being Removed?**

The PSP feature was introduced in Kubernetes 1.3 and it has been stuck in beta ever since. The reasons for PSP deprecation are some fundamental flaws in its design:

##### **PSPs are bound with a dual model**

When creating a PSP, it is bound to the subject of the pod being created. Meaning, policies are bound to the requesting user **OR** the pod's service account -- this is a dual model. This model weakens security since it's hard to determine which is the subject bound to the policy.

##### **PSPs do not apply to all Kubernetes resources**

As the name suggests, the PSP is relevant only for pod security. There have been security issues, such as the ability to [bypass hostPath mount restrictions](https://github.com/kubernetes/kubernetes/issues/81110), that couldn't be solved with PSP simply because they were out of its scope. As Kubernetes scales, it would be harder to determine which resource is part of the PSP and which is not.

##### **PSP admission fail close mode**

When enabled, in the absence of a policy, the PSP admission control would **fail close** . This means that pods won't start until you cover all the subjects bound to the policy. Therefore, the PSP admission control can never be enabled by default. This also makes it much more difficult to have complete test coverage for the policy.

The main question at the basis of the [future of this feature](https://docs.google.com/document/d/1VKqjUlpU888OYtIrBwidL43FOLhbmOD5tesYwmjzO4E/edit#heading=h.4a99hs64hs3k) was: **Does Kubernetes actually need a built-in mechanism for pod admission policy?** Now that you know that PSP deprecation is happening, the answer is simply **no** . But fear not -- we've got you covered!

## **Palo Alto Networks Got Your Back**

Prisma Cloud customers benefit from the built-in [admission control feature](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/access_control/open_policy_agent.html). This feature, based on [Open Policy Agent](https://www.openpolicyagent.org/) (OPA), can mitigate PSP deprecation -- and do much more (see "Mitigating Non-Pod Resources" section below).

As opposed to the PSP setup, with Prisma Cloud you can simply enable the feature and compose the policy rules via our UI:
[![Admission controller configuration in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/Admission-controller-configuration.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/Admission-controller-configuration.png) Admission controller configuration in Prisma Cloud

Each of these rules is implemented with the [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) syntax and you can decide to **alert/block or allow** any rule. This feature is also cloud-agnostic, meaning, you can use the same solution regardless of your Kubernetes deployment infrastructure.

The output of the alert/block operations are all visible through a dedicated event viewer which adds all relevant information related to the blocked request:
[![Example entry from the event viewer](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/event-viewer.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/event-viewer.png) Example entry from the event viewer

**Built-In Set Of Recommended Rules**

We have created a set of rules delivered out-of-the-box. Some of these predefined rules implement specific sections of the [Kubernetes CIS benchmark](https://www.cisecurity.org/benchmark/kubernetes/).

Here are some examples of our current set of predefined rules:

* Creation of a privileged pod
* Pod created in a host process ID namespace
* Pod created on a host IPC namespace
* Pod created on a host network

As you can see, some of these rules already implement conditions defined as part of the PSP.

**Composing PSP To Rego Rules**

You can also take existing PSP conditions and compose them into a Rego syntax and have them ready to block or alert in no time.

For example, PSP enables you to avoid creating pods that [allow privilege escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation):

**AllowPrivilegeEscalation** - Gates whether or not a user is allowed to set the security context of a container to allowPrivilegeEscalation=true. This defaults to allowed so as to not break setuid binaries. Setting it to false ensures that no child process of a container can gain more privileges than its parent.

Let's say we want to **block** any container that allows privilege escalation. In order to enforce such a rule, we need to examine each review request in the following order:

1. Validate that the review request is for creating an object
2. Validate that the request kind is of a pod
3. Validate that the resource being created is a pod
4. Validate the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) of each container being created - if this context sets the allowPrivilegeEscalation flag to true for one of its containers - block it

Let's see how this looks using the Rego syntax:
[![Creating a privilege escalation rule in Prisma Cloud using Rego syntax](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/privilege-escalation-rule.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/privilege-escalation-rule.png) Creating a privilege escalation rule in Prisma Cloud using Rego syntax

As required, the admission rule effect is set to block and the rule is ready to be applied.

After applying the rule, let's try to create a pod that defines privilege escalation to one of its containers:
[![Applying the manifest that escalates the privilege of a pod](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/privilege-manifest.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/privilege-manifest.png) Applying the manifest that escalates the privilege of a pod [![Prisma Cloud blocking the creation of a privilege escalation pod](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/block-pod-creation.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/01/block-pod-creation.png) Prisma Cloud blocking the creation of a privilege escalation pod

**Mitigating Non-Pod Resources**

In December 2020, Unit 42 Cloud Threat Researchers [published an article](https://unit42.paloaltonetworks.com/cve-2020-8554/) on how to protect against an unfixed Kubernetes man-in-the-middle vulnerability ([CVE-2020-8554](https://www.paloaltonetworks.com/blog/prisma-cloud/solving-kubernetes-cve-2020-8554/)). The mitigation of this vulnerability also utilizes our admission control feature. This is possible because the admission control is not limited to specific resource types.

**Filling Kubernetes Security Gaps**

PSP had good intentions to prevent privilege escalation attacks, and therefore its deprecation and future removal will leave a gap for some Kubernetes operators. The Prisma Cloud integration with OPA allows us to protect customers from overly permissive policies in Kubernetes. This capability, along with our [comprehensive suite of cloud native security tools](https://www.paloaltonetworks.com/blog/2021/01/cloud-host-container-web-app-api-release/), helps our customers maintain their security posture as Kubernetes scales and more vulnerable components are discovered.

If you'd like to see our solution for PSP deprecation and other features in action, reach out to[request a personalized demo](https://www.paloaltonetworks.com/company/request-demo).

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Boost Your Container Security with Kubernetes Cluster Awareness](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/container-security-kubernetes-cluster-awareness/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Detecting Kubernetes CVE-2020-8570: Java Client Vulnerability](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-cve-2020-8570-java-client-vulnerability/)

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/anomaly-detection-policies-azure/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Supports Arm Workloads on Google Cloud and GKE](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/supports-arm-workloads-on-google-cloud-and-gke/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Creating a Secure 5G Service-Based Architecture: Part 3 － Runtime Defense](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-runtime-defense/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language