A Pod Security Policy (PSP) is a kubernetes resources that allows us to set security limitations on pods across the cluster. In order to use a PSP, the controller needs to be enabled. The purpose of a PSP is to govern the behavior of pods in the cluster. PSP operates in a cluster wide level. If you read my previous post or have heard about security context in the past, you might be wondering how its different from PSP. The difference biggest difference is that PSP operates on a cluster level and configuration no longer need to be attached to pod manifest. So it basically automates the enforcement of security context. Below is an example of a PSP that stops the creation of privileged pods.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: hello spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*'