PodSecurityPolicy deprecation

Stay organized with collections Save and categorize content based on your preferences.

As of Kubernetes version 1.21, PodSecurityPolicy (beta) is deprecated. The Kubernetes project aims to shut the feature down in version 1.25. When this shutdown occurs, you can no longer use PodSecurityPolicy in Google Kubernetes Engine (GKE). You must disable the PodSecurityPolicy feature before you can upgrade to GKE version 1.25 and later. For instructions, refer to Migrate from PodSecurityPolicy.

For more information on the deprecation, refer to the PodSecurityPolicy deprecation blog post.

Alternatives to PodSecurityPolicy

If you want to continue using Pod-level security controls in GKE, we recommend one of the following solutions:

  • Use the PodSecurity admission controller: You can use the PodSecurity admission controller to apply Pod Security Standards to Pods running on your GKE Standard and Autopilot clusters. Pod Security Standards are predefined security policies that meet the high-level needs of Pod security in Kubernetes. These policies are cumulative, and range from being highly permissive to being highly restrictive.

    To migrate your existing PodSecurityPolicy configuration to PodSecurity, refer to Migrate from PodSecurityPolicy.

  • Use Gatekeeper: GKE Standard clusters allow you to apply security policies using Gatekeeper. You can use Gatekeeper to enforce the same capabilities as PodSecurityPolicy, as well as take advantage of other functionality such as dry-run, gradual rollouts, and auditing.

    For more information, refer to Apply custom Pod-level security policies using Gatekeeper.

  • Use GKE Autopilot clusters: GKE Autopilot clusters implement many of the recommended security policies by default.

    For more information, refer to the Autopilot overview.