Skip to main content

kube-psp-advisor

kube-psp-advisor is a tool that analyzes running Kubernetes workloads and generates recommended Pod Security Policies (PSP) or Pod Security Standards (PSS) based on actual security requirements. Instead of starting with overly permissive or restrictive policies, it examines what workloads actually need and generates the minimal policy to allow them.

While PodSecurityPolicy is deprecated in Kubernetes 1.25+, kube-psp-advisor can also generate Pod Security Standards recommendations for the newer Pod Security Admission controller.

Use Cases

  • Generate baseline security policies based on actual workload requirements.
  • Migrate from permissive policies to least-privilege configurations.
  • Understand what security permissions workloads actually use.
  • Plan migration from PSP to Pod Security Admission.
  • Audit workloads against desired security standards.

Installation

Using kubectl krew

kubectl krew install advise-psp

Using Go

go install github.com/sysdiglabs/kube-psp-advisor@latest

From GitHub Releases

curl -LO https://github.com/sysdiglabs/kube-psp-advisor/releases/download/v1.0.0/kube-psp-advisor_linux_amd64.tar.gz
tar xzf kube-psp-advisor_linux_amd64.tar.gz
chmod +x kube-psp-advisor
sudo mv kube-psp-advisor /usr/local/bin/

Basic Usage

Analyze a Namespace

kubectl advise-psp inspect --namespace production

Analyze the Entire Cluster

kubectl advise-psp inspect

Generate Pod Security Policy

kubectl advise-psp inspect --namespace production --report=psp

Generate Pod Security Standards Report

kubectl advise-psp inspect --namespace production --report=pss

Example Output

PSP Recommendation

# Generated by kube-psp-advisor
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: production-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  
  # Required for nginx pods
  hostNetwork: false
  hostIPC: false
  hostPID: false
  
  runAsUser:
    rule: MustRunAsNonRoot
    
  seLinux:
    rule: RunAsAny
    
  fsGroup:
    rule: RunAsAny
    
  supplementalGroups:
    rule: RunAsAny
    
  volumes:
    - configMap
    - emptyDir
    - secret
    - persistentVolumeClaim
    
  # Capabilities analysis
  allowedCapabilities: []
  requiredDropCapabilities:
    - ALL
    
  # Detected hostPath requirements
  allowedHostPaths: []

PSS Recommendation

Pod Security Standards Report for namespace: production
========================================================

Recommended Level: restricted

Workload Analysis:
- Total Pods: 15
- Compliant with 'restricted': 12
- Compliant with 'baseline': 3
- Require 'privileged': 0

Non-compliant workloads (baseline):
- deployment/logging-agent
  Issues:
  - Uses hostPath volume
  - Requires NET_ADMIN capability
  
- daemonset/monitoring
  Issues:
  - Runs as root (UID 0)
  
Recommendations:
1. Apply 'restricted' level to production namespace
2. Add exemptions for: logging-agent, monitoring
3. Or modify workloads to be compliant

Understanding the Analysis

Security Context Analysis

kube-psp-advisor examines:

FieldWhat It Checks
privilegedWhether pods need privileged mode
capabilitiesWhat Linux capabilities are required
runAsUserUser ID requirements
runAsGroupGroup ID requirements
fsGroupFilesystem group requirements
volumesVolume types used
hostPathHost filesystem mounts
hostNetworkHost network usage
hostPIDHost PID namespace
hostIPCHost IPC namespace

Volume Analysis

Volume Types Detected:
- configMap (12 pods)
- secret (10 pods)
- emptyDir (8 pods)
- persistentVolumeClaim (3 pods)
- hostPath (1 pod) [!]

Capability Analysis

Capabilities Analysis:
- Pods dropping ALL capabilities: 10
- Pods with default capabilities: 4
- Pods adding capabilities: 1
  - logging-agent: NET_ADMIN, NET_RAW

Migration Planning

From Privileged to Restricted

# Step 1: Analyze current state
kubectl advise-psp inspect --report=pss

# Step 2: Identify non-compliant workloads
kubectl advise-psp inspect --report=pss --output=json | jq '.non_compliant[]'

# Step 3: Generate remediation plan
kubectl advise-psp inspect --report=remediation

Remediation Recommendations

# Remediation for: deployment/app
# Current: baseline level required
# Target: restricted level

# Change 1: Remove root user requirement
spec:
  containers:
    - securityContext:
        runAsNonRoot: true
        runAsUser: 1000  # Add non-root user

# Change 2: Drop all capabilities
        capabilities:
          drop:
            - ALL

# Change 3: Enable read-only root filesystem
        readOnlyRootFilesystem: true

Per-Workload Analysis

Analyze Specific Deployment

kubectl advise-psp inspect --namespace production --name deployment/my-app

Output

Workload: deployment/my-app
Namespace: production

Security Requirements:
- privileged: false
- hostNetwork: false
- hostPID: false
- hostIPC: false
- capabilities: NET_BIND_SERVICE (required for port 80)
- runAsUser: 1000
- runAsGroup: 1000
- fsGroup: 2000
- volumes: configMap, secret, emptyDir

Recommended PSS Level: restricted (with capability exemption)

Minimal PSP:
  spec:
    privileged: false
    allowedCapabilities:
      - NET_BIND_SERVICE
    requiredDropCapabilities:
      - ALL
    runAsUser:
      rule: MustRunAsNonRoot
    volumes:
      - configMap
      - secret
      - emptyDir

CI/CD Integration

Validate Workloads Against PSS

name: Security Policy Check
on: [push]

jobs:
  psp-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install kube-psp-advisor
        run: |
          curl -LO https://github.com/sysdiglabs/kube-psp-advisor/releases/latest/download/kube-psp-advisor_linux_amd64.tar.gz
          tar xzf kube-psp-advisor_linux_amd64.tar.gz
          
      - name: Check manifests
        run: |
          ./kube-psp-advisor inspect --source=file --path=./kubernetes/
          
      - name: Fail if privileged required
        run: |
          RESULT=$(./kube-psp-advisor inspect --source=file --path=./kubernetes/ --output=json)
          PRIVILEGED=$(echo $RESULT | jq '.requires_privileged')
          if [ "$PRIVILEGED" == "true" ]; then
            echo "Workloads require privileged mode!"
            exit 1
          fi

Best Practices

  • Analyze before restricting: Understand what workloads need before applying policies.
  • Start with baseline: Use baseline level first, then move to restricted.
  • Use exemptions sparingly: Grant exemptions only to workloads that truly need them.
  • Automate analysis: Run kube-psp-advisor in CI/CD to catch policy violations early.
  • Document exceptions: Keep records of why specific workloads need elevated permissions.

Limitations

  • Cannot detect runtime-only security requirements.
  • Based on current workload configuration, not future needs.
  • PodSecurityPolicy output is for legacy clusters only.
  • Does not account for operator-deployed workloads that may change.

References

This article is based on information from the following official sources:

  1. kube-psp-advisor GitHub Repository - Sysdig
  2. Pod Security Standards - Kubernetes Documentation
  3. Pod Security Admission - Kubernetes Documentation

Related Articles

Pod Security StandardsContainer EscapeSeccomp in Pods