Hardening Kubernetes Pod Security with OPA Gatekeeper and Pod Security Standards

Scenario

In a multi-tenant Kubernetes cluster, development teams deploy workloads, but the security team needs to enforce pod security without breaking existing applications. Many pods run as root, use privileged containers, or add dangerous capabilities. Security audits reveal numerous violations, and manual reviews are resisted.

Symptoms

• Security audit reports: many pods running as root, with privileged access, or with dangerous capabilities.
• Developers resist manual security reviews; PodSecurityPolicy (PSP) is deprecated and lacks automation.

Diagnosis

Use kubectl to inspect pod security contexts:

kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace} {.metadata.name} {.spec.containers[*].securityContext.privileged}{.spec.containers[*].securityContext.runAsUser}{.spec.containers[*].securityContext.capabilities.add}{"\n"}{end}' | head -20

Check for privileged pods:

kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged == true) | {namespace: .metadata.namespace, name: .metadata.name}'

Identify namespaces that need hardening.

Commands (Implementation)

1. Install OPA Gatekeeper:

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

1. Deploy Pod Security Standards constraint templates (Baseline and Restricted):

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8spspbaseline
spec:
  crd:
    spec:
      names:
        kind: K8sPSPBaseline
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8spspbaseline
        violation[{"msg": msg}] {
          # Implement Baseline constraint logic
          msg := sprintf("Pod %v in namespace %v violates Baseline Pod Security Standard", [input.review.object.metadata.name, input.review.object.metadata.namespace])
        }

1. Apply constraints in audit mode:

kubectl apply -f constraint.yaml --dry-run=server

1. Enforce on specific namespaces:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPBaseline
metadata:
  name: pod-security-baseline
spec:
  match:
    namespaces: ["prod", "staging"]
  enforcementAction: dryrun

Then change to warn or deny.

Risk Controls

• Use dryrun mode first to collect violations.
• Exclude namespaces running critical DaemonSets or system components.
• Add label security.opsglobal.io/exempt=true to skip checks.
• Test thoroughly in non-production environments.

Rollback

Delete constraint templates and instances, or revert to audit mode:

kubectl delete constrainttemplate k8spspbaseline
kubectl delete constraint pod-security-baseline

Verification

Check Gatekeeper violation status:

kubectl get constrainttemplates
kubectl get K8sPSPBaseline -o yaml

Test with a sample pod:

kubectl run nginx --image=nginx --restart=Never --dry-run=server -o yaml | kubectl apply -f -

If violating, it should be rejected or warned.

When to Submit an OpsGlobal Ticket

• Need consistent enforcement across multiple clusters.
• Custom constraint template development.
• Performance tuning (Gatekeeper latency).
• Handling large-scale violations with urgent remediation.