PodSecurityPolicy deprecation

As of Kubernetes version 1.21, PodSecurityPolicy (beta) is deprecated. The Kubernetes project aims to shut the feature down in version 1.25. When this shutdown occurs, you can no longer use PodSecurityPolicy in Google Kubernetes Engine (GKE). You must disable the PodSecurityPolicy feature before you can upgrade to GKE version 1.25 and later. For instructions, refer to Migrate from PodSecurityPolicy.

For more information on the deprecation, refer to the PodSecurityPolicy deprecation blog post.

Alternatives to PodSecurityPolicy

If you want to continue using Pod-level security controls in GKE, we recommend one of the following solutions:

  • Use the PodSecurity admission controller: You can use the PodSecurity admission controller to apply Pod Security Standards to Pods running on your GKE Standard and Autopilot clusters. Pod Security Standards are predefined security policies that meet the high-level needs of Pod security in Kubernetes. These policies are cumulative, and range from being highly permissive to being highly restrictive.

    To migrate your existing PodSecurityPolicy configuration to PodSecurity, refer to Migrate from PodSecurityPolicy.

  • Use Anthos Config Management Policy Controller with the Pod Security Policy bundle: Policy Controller lets you apply and enforce security policies in your GKE clusters. Policy Controller bundles, like the Pod Security Policy bundle, let you enforce the same validations as PodSecurityPolicy with capabilities such as dry-run and fine-grained control over resource coverage.

    For more information, refer to Use Policy Controller's Pod Security Policy bundle.

  • Use Gatekeeper: GKE Standard clusters allow you to apply security policies using Gatekeeper. You can use Gatekeeper to enforce the same capabilities as PodSecurityPolicy, as well as take advantage of other functionality such as dry-run, gradual rollouts, and auditing.

    For more information, refer to Apply custom Pod-level security policies using Gatekeeper.

  • Use GKE Autopilot clusters: GKE Autopilot clusters implement many of the recommended security policies by default.

    For more information, refer to the Autopilot overview.