Pod Security Policies
As we've seen throughout the chapter, we can enable security settings on a per-Pod basis by setting security context attributes in individual Pod YAML files. However, this approach doesn't scale, requires developers and operators to remember to do this for every Pod, and is prone to errors. Pod Security Policies offer a better way.
Pod Security Policies are a relatively new feature that allow us to define security settings at the cluster level. We can then apply these to targeted sets of Pods as part of the deployment process. As such, this solution scales better, requires less work from developers and admins, and is less prone to error. It also lends itself to situations where you have a team dedicated to securing apps in production.
Pod Security Policies are implemented as an admission controller, and in order to use them, a Pod's serviceAccount must be authorized to use it. Once this is done, their policies are applied to new requests to...