There are a myriad of ways to secure a Kubernetes cluster, whether through implementing Network Policies to control ingress/egress traffic, Role Based Access Control, or multi-tenancy. One of the most effective ways to manage what gets run on your cluster is through the creation of Pod Security Policies.
A Pod Security Policy defines a set of conditions a pod must run with in order to run on the cluster. These conditions span host-level access, to a range of UIDs a container can run as, and even what volumes a pod can use.
In this article, I will lay out a blueprint for applying a secure-first mindset for your cluster through the implementation of Pod Security Policies. With a secure or restricted-first mindset, you will by default, lock-down your cluster to run secure workloads and through review, make exceptions for those workloads which require privileged access. …