Stay organized with collections
Save and categorize content based on your preferences.
PodSecurityPolicy (beta) is deprecated in Kubernetes version 1.21 and removed in
version 1.25. To learn more, refer to the PodSecurityPolicy deprecation blog
post.
For Google Kubernetes Engine (GKE) clusters running version 1.25 or later, you can
no longer use PodSecurityPolicy, and you must disable the feature before
upgrading to versions 1.25 or later. For instructions, refer to Migrate from
PodSecurityPolicy.
Alternatives to PodSecurityPolicy
If you want to continue using Pod-level security controls in GKE,
we recommend one of the following solutions:
Use the PodSecurity admission controller: You can use the
PodSecurity admission controller
to apply Pod Security Standards to Pods running on your GKE
Standard and Autopilot clusters. Pod Security Standards
are predefined security policies that meet the high-level needs of Pod
security in Kubernetes. These policies are cumulative, and range from being
highly permissive to being highly restrictive.
Use Policy Controller with the Pod Security Policy bundle:
Policy Controller lets you apply and enforce security policies in your GKE
clusters. Policy Controller bundles,
like the Pod Security Policy bundle, let you enforce the same validations as
PodSecurityPolicy with capabilities such as dry-run and fine-grained control
over resource coverage.
Use Gatekeeper: GKE Standard clusters allow you
to apply security policies using Gatekeeper. You can use Gatekeeper to
enforce the same capabilities as PodSecurityPolicy, as well as take
advantage of other functionality such as dry-run, gradual rollouts, and
auditing.
You can check which clusters use this deprecated feature by using
deprecation insights.
Deprecation insights for this feature are supported for clusters running any
GKE version.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# PodSecurityPolicy deprecation\n\n*** ** * ** ***\n\nPodSecurityPolicy (beta) is deprecated in Kubernetes version 1.21 and removed in\nversion 1.25. To learn more, refer to the [PodSecurityPolicy deprecation blog\npost](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/).\nFor Google Kubernetes Engine (GKE) clusters running version 1.25 or later, you can\nno longer use PodSecurityPolicy, and you must disable the feature before\nupgrading to versions 1.25 or later. For instructions, refer to [Migrate from\nPodSecurityPolicy](/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy#disable-psp).\n\nAlternatives to PodSecurityPolicy\n---------------------------------\n\nIf you want to continue using Pod-level security controls in GKE,\nwe recommend one of the following solutions:\n\n- **Use the `PodSecurity` admission controller** : You can use the\n [`PodSecurity` admission controller](/kubernetes-engine/docs/how-to/podsecurityadmission)\n to apply Pod Security Standards to Pods running on your GKE\n Standard and Autopilot clusters. Pod Security Standards\n are predefined security policies that meet the high-level needs of Pod\n security in Kubernetes. These policies are cumulative, and range from being\n highly permissive to being highly restrictive.\n\n To migrate your existing PodSecurityPolicy configuration to `PodSecurity`,\n refer to\n [Migrate from PodSecurityPolicy](/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy).\n- **Use Policy Controller with the Pod Security Policy bundle** :\n Policy Controller lets you apply and enforce security policies in your GKE\n clusters. Policy Controller [*bundles*](/anthos-config-management/docs/concepts/policy-controller-bundles),\n like the Pod Security Policy bundle, let you enforce the same validations as\n PodSecurityPolicy with capabilities such as dry-run and fine-grained control\n over resource coverage.\n\n For more information, refer to\n [Use Policy Controller's Pod Security Policy bundle](/anthos-config-management/docs/how-to/using-constraints-to-enforce-pod-security).\n- **Use Gatekeeper**: GKE Standard clusters allow you\n to apply security policies using Gatekeeper. You can use Gatekeeper to\n enforce the same capabilities as PodSecurityPolicy, as well as take\n advantage of other functionality such as dry-run, gradual rollouts, and\n auditing.\n\n For more information, refer to\n [Apply custom Pod-level security policies using Gatekeeper](/kubernetes-engine/docs/how-to/pod-security-policies-with-gatekeeper).\n- **Use GKE Autopilot clusters**: GKE\n Autopilot clusters implement many of the recommended security\n policies by default.\n\n For more information, refer to the\n [Autopilot overview](/kubernetes-engine/docs/concepts/autopilot-overview).\n\nView deprecation insights and recommendations\n---------------------------------------------\n\nYou can check which clusters use this deprecated feature by using\n[deprecation insights](/kubernetes-engine/docs/deprecations/viewing-deprecation-insights-and-recommendations#view-deprecation-insights-recs).\nDeprecation insights for this feature are supported for clusters running any\nGKE version."]]
