PodSecurityPolicy deprecation

PodSecurityPolicy (beta) is deprecated in Kubernetes version 1.21 and removed in version 1.25. To learn more, refer to the PodSecurityPolicy deprecation blog post. For Google Kubernetes Engine (GKE) clusters running version 1.25 or later, you can no longer use PodSecurityPolicy, and you must disable the feature before upgrading to versions 1.25 or later. For instructions, refer to Migrate from PodSecurityPolicy.

Alternatives to PodSecurityPolicy

If you want to continue using Pod-level security controls in GKE, we recommend one of the following solutions:

  • Use the PodSecurity admission controller: You can use the PodSecurity admission controller to apply Pod Security Standards to Pods running on your GKE Standard and Autopilot clusters. Pod Security Standards are predefined security policies that meet the high-level needs of Pod security in Kubernetes. These policies are cumulative, and range from being highly permissive to being highly restrictive.

    To migrate your existing PodSecurityPolicy configuration to PodSecurity, refer to Migrate from PodSecurityPolicy.

  • Use Config Management Policy Controller with the Pod Security Policy bundle: Policy Controller lets you apply and enforce security policies in your GKE clusters. Policy Controller bundles, like the Pod Security Policy bundle, let you enforce the same validations as PodSecurityPolicy with capabilities such as dry-run and fine-grained control over resource coverage.

    For more information, refer to Use Policy Controller's Pod Security Policy bundle.

  • Use Gatekeeper: GKE Standard clusters allow you to apply security policies using Gatekeeper. You can use Gatekeeper to enforce the same capabilities as PodSecurityPolicy, as well as take advantage of other functionality such as dry-run, gradual rollouts, and auditing.

    For more information, refer to Apply custom Pod-level security policies using Gatekeeper.

  • Use GKE Autopilot clusters: GKE Autopilot clusters implement many of the recommended security policies by default.

    For more information, refer to the Autopilot overview.

View deprecation insights and recommendations

You can check which clusters use this deprecated feature by using deprecation insights. Deprecation insights for this feature are supported for clusters running any GKE version.