Skip to content

PodSecurityPolicy controller is not enabled on Kubernetes engine clusters

Description

PodSecurityPolicy is an admission controller resource created to validate requests to create and update Pods on your cluster. The PodSecurityPolicy defines a set of conditions that Pods must meet to be accepted by the cluster. When a request to create or update a Pod does not meet the conditions in the PodSecurityPolicy, that request is rejected and an error is returned.

We recommend you enable PodSecurityPolicy Controller on Kubernetes engine clusters.

Fix - Runtime

Gcloud CLI

To update the cluster to enable the PodSecurityPolicy Controller, use this command:

gcloud beta container clusters update cluster-name --enable-pod-security-policy

More information at: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies

Fix - Buildtime

Terraform

First, be sure to have the google-beta provider setup in the google_container_cluster, then add the following block of code:

pod_security_policy_config {
    enabled = true
}

More information at: https://www.terraform.io/docs/providers/google/r/container_cluster.html#pod_security_policy_config