This topic describes how to use Kubernetes Pod Security Admission (PSA) with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

Note: Support for Kubernetes Pod Security Policy (PSP) has been removed in Kubernetes v1.25.

About Pod Security Admission

PSA is the Kubernetes-recommended way to implement security standards. TKGI supports the built-in PSA in Kubernetes. PSA is enabled in TKGI, by default.

For more information on PSA, see Pod Security Admission in the Kubernetes documentation.

Pod Security Admission and TKGI

Note: To control the PSA security permissions in a TKGI namespace, you must have the privileges to create, update, or patch the namespace. To ensure security of the system, restrict the namespace permissions to the trusted user accounts.

The following table describes the required PSA level for TKGI System namespaces:

TKGI System Namespace PSA Level
kube-system Privileged
nsx-system Restricted
pks-system Privileged
pks-system-host-monitoring Restricted
vmware-system-csi Baseline

For more information on implementing Pod Security Standards with namespace labels, see Enforce Pod Security Standards with Namespace Labels in the Kubernetes documentation.

Migrate from PSP to PSA Controller

To migrate from PSP to PSA Controller, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller in the Kubernetes documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon