PodSecurityPolicy
So far, we have learned about and tested Kubernetes RBAC to prevent unauthorized API server access, and also applied a NetworkPolicy to prevent unnecessary network communication. The next most important area of security outside the network is the application runtime. Attackers need access to the network to get in and out, but they also need a vulnerable runtime to do anything more serious. This is where Kubernetes PodSecurityPolicy objects help prevent that from happening.
PodSecurityPolicy objects overlap with a specific type of AdmissionController and allow a cluster operator to dynamically define the minimum runtime requirements of a Pod that's been admitted for scheduling on the cluster.
To understand exactly how PodSecurityPolicies can be useful, let's consider the following scenario. You are a Kubernetes cluster admin at a large financial institution. Your company uses ticket-based change management software in an ITIL-compliant fashion (ITIL...