This topic describes how to use Kubernetes Pod Security Admission (PSA) with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Note: Support for Kubernetes Pod Security Policy (PSP) has been removed in Kubernetes v1.25.
PSA is the Kubernetes-recommended way to implement security standards. TKGI supports the built-in PSA in Kubernetes. PSA is enabled in TKGI, by default.
For more information on PSA, see Pod Security Admission in the Kubernetes documentation.
Note: To control the PSA security permissions in a TKGI namespace, you must have the privileges to create, update, or patch the namespace. To ensure security of the system, restrict the namespace permissions to the trusted user accounts.
The following table describes the required PSA level for TKGI System namespaces:
| TKGI System Namespace | PSA Level |
|---|---|
| kube-system | Privileged |
| nsx-system | Restricted |
| pks-system | Privileged |
| pks-system-host-monitoring | Restricted |
| vmware-system-csi | Baseline |
For more information on implementing Pod Security Standards with namespace labels, see Enforce Pod Security Standards with Namespace Labels in the Kubernetes documentation.
To migrate from PSP to PSA Controller, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller in the Kubernetes documentation.
