{"id":172,"date":"2025-05-22T12:59:41","date_gmt":"2025-05-22T12:59:41","guid":{"rendered":"https:\/\/devsecopsschool.com\/blog\/?p=172"},"modified":"2025-05-22T12:59:41","modified_gmt":"2025-05-22T12:59:41","slug":"pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial","status":"publish","type":"post","link":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/","title":{"rendered":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction &amp; Overview<\/h2>\n\n\n\n<p>Pod Security Policies (PSP) are a critical Kubernetes feature for enforcing security constraints on pods, aligning seamlessly with DevSecOps principles of integrating security into development and operations. This tutorial provides an in-depth exploration of PSP, covering its concepts, setup, real-world applications, and best practices, tailored for DevSecOps practitioners.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is Pod Security Policies (PSP)?<\/h3>\n\n\n\n<p>Pod Security Policies are Kubernetes cluster-level resources that define security-related conditions pods must meet to be accepted by the cluster. They control aspects like privilege escalation, container capabilities, and user permissions, ensuring workloads adhere to organizational security standards.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">History or Background<\/h3>\n\n\n\n<p>Introduced in Kubernetes 1.3 (2016), PSPs evolved to address the need for fine-grained security controls in containerized environments. They were deprecated in Kubernetes 1.21 (2021) and removed in 1.25 (2022), replaced by Pod Security Standards (PSS) and alternatives like Open Policy Agent (OPA). This tutorial focuses on PSPs for legacy systems and their relevance in DevSecOps.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why is it Relevant in DevSecOps?<\/h3>\n\n\n\n<p>In DevSecOps, security is embedded throughout the software development lifecycle (SDLC). PSPs contribute by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforcing Security Early<\/strong>: Preventing insecure pod configurations during deployment.<\/li>\n\n\n\n<li><strong>Automating Compliance<\/strong>: Aligning with standards like CIS Benchmarks or NIST.<\/li>\n\n\n\n<li><strong>Reducing Attack Surface<\/strong>: Limiting privileges to minimize risks in containerized workloads.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Core Concepts &amp; Terminology<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Key Terms and Definitions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Pod<\/strong>: The smallest deployable unit in Kubernetes, consisting of one or more containers.<\/li>\n\n\n\n<li><strong>Pod Security Policy<\/strong>: A cluster-level resource defining security constraints for pods.<\/li>\n\n\n\n<li><strong>RBAC<\/strong>: Role-Based Access Control, used alongside PSP to manage permissions.<\/li>\n\n\n\n<li><strong>Security Context<\/strong>: Pod or container-level settings for security (e.g., user IDs).<\/li>\n\n\n\n<li><strong>Admission Controller<\/strong>: Kubernetes component that enforces PSPs during pod creation.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Term<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>PSP<\/strong><\/td><td>A Kubernetes resource defining security policies for pod creation.<\/td><\/tr><tr><td><strong>Security Context<\/strong><\/td><td>Pod-level setting defining privileges and access controls.<\/td><\/tr><tr><td><strong>Admission Controller<\/strong><\/td><td>Kubernetes component that enforces PSPs on pod requests.<\/td><\/tr><tr><td><strong>RunAsUser<\/strong><\/td><td>Specifies the user ID under which the container runs.<\/td><\/tr><tr><td><strong>SELinuxOptions<\/strong><\/td><td>Defines SELinux labels for access control.<\/td><\/tr><tr><td><strong>Capabilities<\/strong><\/td><td>Linux capabilities that can be added\/dropped in containers.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How It Fits into the DevSecOps Lifecycle<\/h3>\n\n\n\n<p>PSPs integrate into the DevSecOps lifecycle by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Build Phase<\/strong>: Ensuring container images adhere to security baselines.<\/li>\n\n\n\n<li><strong>Deploy Phase<\/strong>: Validating pod configurations via admission controllers.<\/li>\n\n\n\n<li><strong>Run Phase<\/strong>: Monitoring and auditing running pods for compliance.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>DevSecOps Stage<\/th><th>PSP Role<\/th><\/tr><\/thead><tbody><tr><td>Plan<\/td><td>Define security policies for pods aligned with org policies<\/td><\/tr><tr><td>Develop<\/td><td>Educate developers on security requirements enforced by PSP<\/td><\/tr><tr><td>Build<\/td><td>Validate images and configurations that will comply with PSP<\/td><\/tr><tr><td>Test<\/td><td>Use admission policies to catch security misconfigurations early<\/td><\/tr><tr><td>Release<\/td><td>Enforce consistent runtime security rules across environments<\/td><\/tr><tr><td>Deploy<\/td><td>Block non-compliant pods from running<\/td><\/tr><tr><td>Operate<\/td><td>Monitor policy violations and update policies for evolving threats<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture &amp; How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Components and Internal Workflow<\/h3>\n\n\n\n<p>PSPs operate through Kubernetes\u2019 admission control mechanism. Key components include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PSP Resource<\/strong>: Defines rules (e.g., <code>privileged: false<\/code>, <code>runAsUser<\/code>).<\/li>\n\n\n\n<li><strong>Admission Controller<\/strong>: Enforces PSP rules during pod creation or update.<\/li>\n\n\n\n<li><strong>RBAC Integration<\/strong>: Links PSPs to users or service accounts via roles.<\/li>\n<\/ul>\n\n\n\n<p>The workflow is:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A user submits a pod creation request.<\/li>\n\n\n\n<li>The Kubernetes API server invokes the PSP admission controller.<\/li>\n\n\n\n<li>The controller validates the pod against applicable PSPs.<\/li>\n\n\n\n<li>If compliant, the pod is created; otherwise, it\u2019s rejected.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture Diagram Description<\/h3>\n\n\n\n<p>Visualize a flowchart with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user submitting a pod manifest to the Kubernetes API Server.<\/li>\n\n\n\n<li>The API Server forwarding the request to the PSP Admission Controller.<\/li>\n\n\n\n<li>The controller checking the pod against PSP rules (stored in etcd).<\/li>\n\n\n\n<li>Arrows showing approval (to pod creation) or rejection (error to user).<\/li>\n\n\n\n<li>RBAC roles linking users to PSPs.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#091; Developer\/User ]\n        \u2193\n   &#091; kubectl apply ]\n        \u2193\n&#091; Kubernetes API Server ]\n        \u2193\n&#091; Admission Controller (PSP) ]\n        \u2193       \u2198\n &#091; Valid PSP ]   &#091; Rejected ]\n        \u2193\n   &#091; Pod Scheduled ]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Integration Points with CI\/CD or Cloud Tools<\/h3>\n\n\n\n<p>PSPs integrate with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CI\/CD Pipelines<\/strong>: Tools like Jenkins or GitLab CI validate pod specs before deployment.<\/li>\n\n\n\n<li><strong>Cloud Tools<\/strong>: AWS EKS, GCP GKE, or Azure AKS enable PSPs via cluster configurations.<\/li>\n\n\n\n<li><strong>Monitoring Tools<\/strong>: Prometheus or Grafana track PSP violations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installation &amp; Getting Started<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Basic Setup or Prerequisites<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes cluster (v1.21 or earlier for PSP support).<\/li>\n\n\n\n<li><code>kubectl<\/code> configured with cluster admin access.<\/li>\n\n\n\n<li>RBAC enabled in the cluster.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hands-On: Step-by-Step Beginner-Friendly Setup Guide<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>**Enable PSPthernet:\n<ul class=\"wp-block-list\">\n<li>Edit the API server configuration (e.g., <code>\/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/code>).<\/li>\n\n\n\n<li>Add <code>--enable-admission-plugins=PodSecurityPolicy<\/code> to the <code>kube-apiserver<\/code> flags.<\/li>\n\n\n\n<li>Restart the API server.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Create a PSP<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: policy\/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n  name: restricted-psp\nspec:\n  privileged: false\n  runAsUser:\n    rule: MustRunAsNonRoot\n  seLinux:\n    rule: RunAsAny\n  fsGroup:\n    rule: RunAsAny\n  supplementalGroups:\n    rule: RunAsAny\n  volumes:\n    - 'configMap'\n    - 'secret'\n<\/code><\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Apply the PSP<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f restricted-psp.yaml\n<\/code><\/pre>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Link PSP to RBAC<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  name: use-restricted-psp\nrules:\n- apiGroups: &#091;'policy']\n  resources: &#091;'podsecuritypolicies']\n  verbs: &#091;'use']\n  resourceNames: &#091;'restricted-psp']\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: restricted-psp-binding\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: use-restricted-psp\nsubjects:\n- kind: ServiceAccount\n  name: default\n  namespace: default\n<\/code><\/pre>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Test a Pod<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: v1\nkind: Pod\nmetadata:\n  name: test-pod\nspec:\n  containers:\n  - name: nginx\n    image: nginx\n<\/code><\/pre>\n\n\n\n<p>Apply and verify if the pod complies with the PSP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Use Cases<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial Services<\/strong>: A bank uses PSPs to ensure containers run as non-root users, preventing privilege escalation in payment processing apps.<\/li>\n\n\n\n<li><strong>Healthcare<\/strong>: A hospital enforces PSPs to restrict volume mounts, ensuring HIPAA compliance for patient data workloads.<\/li>\n\n\n\n<li><strong>E-commerce<\/strong>: An online retailer uses PSPs to limit network policies, reducing risks of data breaches in customer-facing apps.<\/li>\n\n\n\n<li><strong>CI\/CD Pipelines<\/strong>: A DevSecOps team integrates PSP validation in GitLab CI to catch insecure pod configurations pre-deployment.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Benefits &amp; Limitations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Key Advantages<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granular control over pod security settings.<\/li>\n\n\n\n<li>Seamless integration with Kubernetes RBAC.<\/li>\n\n\n\n<li>Enhances compliance with industry standards.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common Challenges or Limitations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deprecated in Kubernetes 1.21; not supported in newer clusters.<\/li>\n\n\n\n<li>Complex RBAC setup can lead to misconfigurations.<\/li>\n\n\n\n<li>Limited flexibility compared to modern alternatives like OPA.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices &amp; Recommendations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security<\/strong>: Use restrictive PSPs by default; allow exceptions via RBAC.<\/li>\n\n\n\n<li><strong>Performance<\/strong>: Minimize PSP complexity to reduce admission controller overhead.<\/li>\n\n\n\n<li><strong>Maintenance<\/strong>: Regularly audit PSPs and RBAC bindings for compliance.<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: Align PSPs with CIS Kubernetes Benchmarks.<\/li>\n\n\n\n<li><strong>Automation<\/strong>: Use tools like Terraform to manage PSP configurations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Comparison with Alternatives<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>PSP<\/th><th>Pod Security Standards (PSS)<\/th><th>OPA\/Gatekeeper<\/th><\/tr><\/thead><tbody><tr><td>Granularity<\/td><td>High (pod-level controls)<\/td><td>Medium (baseline, restricted, privileged)<\/td><td>Very high (custom policies)<\/td><\/tr><tr><td>Ease of Use<\/td><td>Complex RBAC setup<\/td><td>Simple, built-in<\/td><td>Moderate, requires policy authoring<\/td><\/tr><tr><td>Kubernetes Support<\/td><td>Deprecated (1.21+)<\/td><td>Native (1.21+)<\/td><td>External, ongoing support<\/td><\/tr><tr><td>Flexibility<\/td><td>Limited to pod settings<\/td><td>Predefined profiles<\/td><td>Highly customizable<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">When to Choose PSP<\/h3>\n\n\n\n<p>Use PSPs for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Legacy Kubernetes clusters (pre-1.25).<\/li>\n\n\n\n<li>Environments requiring strict pod-level security without external tools.<\/li>\n<\/ul>\n\n\n\n<p>Choose alternatives like PSS or OPA for modern clusters or complex policy needs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Pod Security Policies remain a valuable tool for securing Kubernetes workloads in legacy environments, offering granular control and DevSecOps alignment. While deprecated, their principles inform modern solutions like PSS and OPA. Future trends point to policy-as-code approaches for enhanced flexibility. For next steps, explore PSP setups in test clusters or transition to PSS for newer Kubernetes versions.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction &amp; Overview Pod Security Policies (PSP) are a critical Kubernetes feature for enforcing security constraints on pods, aligning seamlessly with DevSecOps principles of integrating security into development and operations. This tutorial provides an in-depth exploration of PSP, covering its concepts, setup, real-world applications, and best practices, tailored for DevSecOps practitioners. What is Pod Security &#8230; <a title=\"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial\" class=\"read-more\" href=\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\" aria-label=\"Read more about Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-172","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School\" \/>\n<meta property=\"og:description\" content=\"Introduction &amp; Overview Pod Security Policies (PSP) are a critical Kubernetes feature for enforcing security constraints on pods, aligning seamlessly with DevSecOps principles of integrating security into development and operations. This tutorial provides an in-depth exploration of PSP, covering its concepts, setup, real-world applications, and best practices, tailored for DevSecOps practitioners. What is Pod Security ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\" \/>\n<meta property=\"og:site_name\" content=\"DevSecOps School\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T12:59:41+00:00\" \/>\n<meta name=\"author\" content=\"pritesh k\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"pritesh k\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\"},\"author\":{\"name\":\"pritesh k\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\"},\"headline\":\"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial\",\"datePublished\":\"2025-05-22T12:59:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\"},\"wordCount\":1005,\"commentCount\":0,\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\",\"name\":\"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\"},\"datePublished\":\"2025-05-22T12:59:41+00:00\",\"author\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\"},\"breadcrumb\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/devsecopsschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/\",\"name\":\"DevSecOps School\",\"description\":\"DevSecOps Redefined\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\",\"name\":\"pritesh k\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g\",\"caption\":\"pritesh k\"},\"url\":\"https:\/\/devsecopsschool.com\/blog\/author\/priteshgeek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/","og_locale":"en_US","og_type":"article","og_title":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School","og_description":"Introduction &amp; Overview Pod Security Policies (PSP) are a critical Kubernetes feature for enforcing security constraints on pods, aligning seamlessly with DevSecOps principles of integrating security into development and operations. This tutorial provides an in-depth exploration of PSP, covering its concepts, setup, real-world applications, and best practices, tailored for DevSecOps practitioners. What is Pod Security ... Read more","og_url":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/","og_site_name":"DevSecOps School","article_published_time":"2025-05-22T12:59:41+00:00","author":"pritesh k","twitter_card":"summary_large_image","twitter_misc":{"Written by":"pritesh k","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#article","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/"},"author":{"name":"pritesh k","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6"},"headline":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial","datePublished":"2025-05-22T12:59:41+00:00","mainEntityOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/"},"wordCount":1005,"commentCount":0,"inLanguage":"en","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/","url":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/","name":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial - DevSecOps School","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/#website"},"datePublished":"2025-05-22T12:59:41+00:00","author":{"@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6"},"breadcrumb":{"@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/devsecopsschool.com\/blog\/pod-security-policies-psp-in-devsecops-a-comprehensive-tutorial\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/devsecopsschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Pod Security Policies (PSP) in DevSecOps: A Comprehensive Tutorial"}]},{"@type":"WebSite","@id":"https:\/\/devsecopsschool.com\/blog\/#website","url":"https:\/\/devsecopsschool.com\/blog\/","name":"DevSecOps School","description":"DevSecOps Redefined","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6","name":"pritesh k","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g","caption":"pritesh k"},"url":"https:\/\/devsecopsschool.com\/blog\/author\/priteshgeek\/"}]}},"_links":{"self":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=172"}],"version-history":[{"count":1,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":173,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/172\/revisions\/173"}],"wp:attachment":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}