How to check if pod security policy is enabled?

10/31/2018

I am trying to debug why pod security policy (psp) isn't applying. Running the following shows no resources found. Not sure if this is sufficient to confirm psp is enabled.

$ kubectl get psp
No resources found.

Thanks.

-- ZPrime
kubernetes

2 Answers

10/31/2018

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies

Pod security policy control is implemented as an optional (but recommended) admission controller. PodSecurityPolicies are enforced by enabling the admission controller, but doing so without authorizing any policies will prevent any pods from being created in the cluster.

Since the pod security policy API (policy/v1beta1/podsecuritypolicy) is enabled independently of the admission controller, for existing clusters it is recommended that policies are added and authorized before enabling the admission controller.

-- Ijaz Ahmad Khan
Source: StackOverflow

12/19/2019

No, it's not enough to prove it's enabled, as mentioned Ijaz by quoting the documentation.

On GCP, you can do that :

gcloud beta container clusters describe $CLUSTER_NAME  --zone $CLUSTER_ZONE | grep -A 1 podSecurityPolicyConfig

If enabled, the expected output is :

podSecurityPolicyConfig:
  enabled: true

Otherwise you'll get something like that:

podSecurityPolicyConfig: {}
privateCluster: true
-- tisc0
Source: StackOverflow