---
id: 5419d76e-2030-4d91-aa05-f6f5f19af1b1
---

# Pod Security Policy Conflicts
---

Pod security policy conflicts refer to situations where there are security policy violations in Kubernetes pods. This can happen when pod security policies are not properly defined or when the policies in place conflict with the requirements of a specific pod. These conflicts can result in the pod being denied access to resources, which can cause serious disruptions in the application or system running on the pod.

### Parameters
```shell
export POD_NAME="PLACEHOLDER"

export KUBE_APISERVER_POD_NAME="PLACEHOLDER"

export UPDATED_POLICY_YAML="PLACEHOLDER"

export NAMESPACE="PLACEHOLDER"

export POLICY_NAME="PLACEHOLDER"
```

## Debug

### Check the status of the pod
```shell
kubectl get pod ${POD_NAME}
```

### View the pod's security policies
```shell
kubectl describe pod ${POD_NAME}
```

### Check the status of the security policies
```shell
kubectl get podsecuritypolicies
```

### Check the status of the security context constraints
```shell
kubectl get scc
```

### Check the logs for the pod
```shell
kubectl logs ${POD_NAME}
```

### Check the events related to the pod
```shell
kubectl get events --field-selector involvedObject.name=${POD_NAME}
```

### Check the audit logs for the Kubernetes API server
```shell
kubectl logs -n kube-system ${KUBE_APISERVER_POD_NAME} | grep -i audit
```

## Repair

### Identify the root cause of the policy conflict. This could involve reviewing the pod security policies in place and comparing them to the requirements of the affected pod. Once the issue has been identified, the policies can be updated to resolve the conflict.
```shell


#!/bin/bash



# Set variables

POD_NAME=${POD_NAME}

NAMESPACE=${NAMESPACE}

POLICY_NAME=${POLICY_NAME}



# Get policy details

POLICY_DETAILS=$(kubectl get podsecuritypolicy $POLICY_NAME -o json)



# Get pod details

POD_DETAILS=$(kubectl get pod $POD_NAME -n $NAMESPACE -o json)



# Check for policy conflicts

if kubectl auth reconcile $POLICY_DETAILS $POD_DETAILS > /dev/null 2>&1; then

    echo "No policy conflicts found."

else

    # Update policy

    kubectl apply -f ${UPDATED_POLICY_YAML}

    echo "Policy updated successfully."

fi


```

Pod security policy conflicts refer to situations where there are security policy violations in Kubernetes pods. This can happen when pod security policies are not properly defined or when the policies in place conflict with the requirements of a specific pod. These conflicts can result in the pod being denied access to resources, which can cause serious disruptions in the application or system running on the pod.


The Vault cluster health incident is related to the health of a Vault cluster instance. This incident type is triggered when the cluster instance is not healthy and requires attention to ensure it is functioning properly. The incident typically involves evaluating the current state of the cluster instance, diagnosing the issue, and taking corrective action to restore the health of the instance.


Vault cluster health incident on kubernetes

A Host Out of Memory(OOM) Incident occurs when a server or system runs out of memory, causing it to crash or become unresponsive. This can be caused by a variety of factors, such as an unexpected surge in traffic or insufficient resources allocated to the system. Resolving this type of incident requires identifying the root cause of the memory issue and taking appropriate measures such as optimizing system resources or increasing memory capacity.


Host Out of Memory (OOM) Incident

This incident type is characterized by the detection of unauthorized access to the Kubernetes API server. This unauthorized access potentially enables attackers to manipulate cluster resources. Such incidents can lead to serious consequences, as unauthorized access allows attackers to make changes to the Kubernetes cluster, which may compromise the security and integrity of the entire system. Therefore, it is crucial to promptly detect and address such incidents to ensure the security and proper functioning of the Kubernetes cluster.


Unauthorized Access to Kubernetes API Server Detected

This incident type involves an issue with Kubernetes deployments where the expected number of pods to run is not matching the actual number of pods running. This can lead to alerts being triggered and potential disruptions in the system.


Kubernetes pods not starting - Deployment issue

Kubernetes Pods Pending incident indicates that one or more pods in a Kubernetes cluster are not running as expected and are in a pending state. This can happen due to various reasons such as resource constraints, scheduling issues, or network problems. This incident can impact the availability and performance of the application running on the Kubernetes cluster. It requires immediate attention to diagnose and resolve the underlying issue to ensure the pods are running as expected.


Kubernetes Pods Pending

```shell
export POD_NAME="PLACEHOLDER"

export KUBE_APISERVER_POD_NAME="PLACEHOLDER"

export UPDATED_POLICY_YAML="PLACEHOLDER"

export NAMESPACE="PLACEHOLDER"

export POLICY_NAME="PLACEHOLDER"
```


### Check the status of the pod

```shell
kubectl get pod ${POD_NAME}
```

### View the pod's security policies

```shell
kubectl describe pod ${POD_NAME}
```

### Check the status of the security policies

```shell
kubectl get podsecuritypolicies
```

### Check the status of the security context constraints

```shell
kubectl get scc
```

### Check the logs for the pod

```shell
kubectl logs ${POD_NAME}
```

### Check the events related to the pod

```shell
kubectl get events --field-selector involvedObject.name=${POD_NAME}
```

### Check the audit logs for the Kubernetes API server

```shell
kubectl logs -n kube-system ${KUBE_APISERVER_POD_NAME} | grep -i audit
```


### Identify the root cause of the policy conflict. This could involve reviewing the pod security policies in place and comparing them to the requirements of the affected pod. Once the issue has been identified, the policies can be updated to resolve the conflict.

```shell


#!/bin/bash



# Set variables

POD_NAME=${POD_NAME}

NAMESPACE=${NAMESPACE}

POLICY_NAME=${POLICY_NAME}



# Get policy details

POLICY_DETAILS=$(kubectl get podsecuritypolicy $POLICY_NAME -o json)



# Get pod details

POD_DETAILS=$(kubectl get pod $POD_NAME -n $NAMESPACE -o json)



# Check for policy conflicts

if kubectl auth reconcile $POLICY_DETAILS $POD_DETAILS > /dev/null 2>&1; then

    echo "No policy conflicts found."

else

    # Update policy

    kubectl apply -f ${UPDATED_POLICY_YAML}

    echo "Policy updated successfully."

fi


```


Pod Security Policy Conflicts

Overview

Parameters

Debug

Check the status of the pod

View the pod's security policies

Check the status of the security policies

Check the status of the security context constraints

Check the logs for the pod

Check the audit logs for the Kubernetes API server

Repair

Identify the root cause of the policy conflict. This could involve reviewing the pod security policies in place and comparing them to the requirements of the affected pod. Once the issue has been identified, the policies can be updated to resolve the conflict.

Learn more

Related Runbooks

Vault cluster health incident on kubernetes

Host Out of Memory (OOM) Incident

Unauthorized Access to Kubernetes API Server Detected

Kubernetes pods not starting - Deployment issue

Support