Enforcing node security with GateKeeper
So far, we've seen what can happen when containers are allowed to run on a node without any security policies in place. We've also examined what goes into building a secure container, which will make enforcing node security much easier. The next step is to examine how to design and build policies using GateKeeper to lock down your containers.
What about Pod security policies?
Doesn't Kubernetes have a built-in mechanism for enforcing node security? It does, but it's going away. In 2018, the Kubernetes project decided that the PSP API would never leave beta. The configuration was too confusing, being a hybrid of Linux-focused configuration options and RBAC assignments. It was determined that the fix would likely mean an incompatible final release from the current release. Instead of marking a complex and difficult-to-manage API as generally available, the project made a difficult decision to deprecate the API.
...