{"id":23762306,"url":"https://github.com/appvia/psp-migration","last_synced_at":"2026-06-06T04:02:31.448Z","repository":{"id":37057861,"uuid":"430771934","full_name":"appvia/psp-migration","owner":"appvia","description":"Recreation of common Pod Security Policy configuration in other common Kubernetes policy engines","archived":false,"fork":false,"pushed_at":"2026-06-05T19:10:15.000Z","size":19538,"stargazers_count":52,"open_issues_count":20,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-06-05T21:09:05.738Z","etag":null,"topics":["gatekeeper","hacktoberfest","k8s","kubernetes","kubernetes-security","kubewarden","kyverno","opa","pod-security-policy","podsecuritypolicies","podsecuritypolicy","policy-as-code","psp","security","yaml"],"latest_commit_sha":null,"homepage":"https://appvia.github.io/psp-migration","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/appvia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-11-22T15:55:53.000Z","updated_at":"2026-05-20T21:11:14.000Z","dependencies_parsed_at":"2023-09-22T07:24:28.405Z","dependency_job_id":"55869249-e8cc-45bc-882b-670281a08546","html_url":"https://github.com/appvia/psp-migration","commit_stats":null,"previous_names":[],"tags_count":929,"template":false,"template_full_name":null,"purl":"pkg:github/appvia/psp-migration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fpsp-migration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fpsp-migration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fpsp-migration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fpsp-migration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appvia","download_url":"https://codeload.github.com/appvia/psp-migration/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fpsp-migration/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33968711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gatekeeper","hacktoberfest","k8s","kubernetes","kubernetes-security","kubewarden","kyverno","opa","pod-security-policy","podsecuritypolicies","podsecuritypolicy","policy-as-code","psp","security","yaml"],"created_at":"2024-12-31T21:17:58.250Z","updated_at":"2026-06-06T04:02:31.429Z","avatar_url":"https://github.com/appvia.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"# Kubernetes [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) Migration\n\n\u003e PodSecurityPolicy is dead, long live ???\n\n[![CI](https://github.com/appvia/psp-migration/actions/workflows/ci.yml/badge.svg)](https://github.com/appvia/psp-migration/actions/workflows/ci.yml)\n[![GitHub issues](https://img.shields.io/github/issues/appvia/psp-migration)](https://github.com/appvia/psp-migration/issues)\n[![GitHub forks](https://img.shields.io/github/forks/appvia/psp-migration)](https://github.com/appvia/psp-migration/network)\n[![GitHub stars](https://img.shields.io/github/stars/appvia/psp-migration)](https://github.com/appvia/psp-migration/stargazers)\n![GitHub contributors](https://img.shields.io/github/contributors/appvia/psp-migration)\n![GitHub last commit](https://img.shields.io/github/last-commit/appvia/psp-migration)\n[![Appvia Community Slack](https://img.shields.io/badge/slack-@appvia_community-default.svg?logo=slack)](https://join.slack.com/t/appvia-community/shared_invite/zt-rcqz9vif-eDDQrbD_EAZBxsem30c2bQ)\n[![GitHub license](https://img.shields.io/github/license/appvia/psp-migration)](https://github.com/appvia/psp-migration/blob/main/LICENSE)\n\n# Please see our blog post [PodSecurityPolicy is Dead, Long Live...?](https://www.appvia.io/blog/podsecuritypolicy-is-dead-long-live)!\n---\n\n## 🚨 🚧 UNDER ACTIVE DEVELOPMENT (pull requests welcome) 🚧 🚨\n\nThis project is striving to recreate common Pod Security Policy configuration in other common kubernetes policy engines, to better inform the consumer how to migrate before it is removed in Kubernetes 1.25\n\n\n## Installation\n\nDownload the right binary for your OS and Arch from the [latest release](https://github.com/appvia/psp-migration/releases/latest)\n\nOr you can **[try it now in your browser](https://appvia.github.io/psp-migration/)!**\n\n## Usage\n\nThe app takes PodSecurityPolicy on `stdIn` and output your policy engine of choice on `stdOut`, you select the policy engine with the `--engine=\u003cengine\u003e`:\n\n```bash\n$ cat psp.yaml | ./psp-migration --engine=gatekeeper \u003e output.yaml\n# or if you're feeling brave you can pipe it back and forth to the kubernetes api\n$ kubectl get -o yaml mypodsecuritypolicy | ./psp-migration -e kubewarden | kubectl apply -f -\n```\n\n## Known limitations\n\n- Generated policy will probably be pretty verbose\n- Generated policy will probably have some unintended side effects, please [create an issue](https://github.com/appvia/psp-migration/issues/new?assignees=\u0026labels=bug%2Ctriage\u0026template=bug.yaml\u0026title=%5BBug%5D%3A+) when this happens\n- Only takes one PodSecurityPolicy at a time\n- Generated policy may conflict with other policies\n\n## Features\n\n### :warning: This table is manually updated, see the [automated test suites results](https://github.com/appvia/psp-migration/actions/workflows/ci.yml) :warning:\n\n\u003e Note: ❌ Doesn't mean it doesn't work, it just means the test is currently failing, in most cases the test needs to be updated\n\n| PSP field | [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) | [Pod Security Standard (baseline)](https://kubernetes.io/docs/concepts/security/pod-security-standards/) | [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) | [Kyverno](https://github.com/kyverno/kyverno) | [Kubewarden](https://github.com/kubewarden/kubewarden-controller) | [k-rail](https://github.com/cruise-automation/k-rail) |\n| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------- | --------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------- |\n| [privileged](./tests/privileged) | [✔️](./tests/privileged/psp.yaml) | [✔️](./tests/privileged/pss.yaml) | [✔️](./tests/privileged/gatekeeper.yaml) | [✔️](./tests/privileged/kyverno.yaml) | [✔️](./tests/privileged/kubewarden.yaml) | [✔️](./tests/privileged/krail.yaml) |\n| [hostPID](./tests/hostPID) | [✔️](./tests/hostPID/psp.yaml) | [✔️](./tests/hostPID/pss.yaml) | [✔️](./tests/hostPID/hostPID.yaml) | [✔️](./tests/hostPID/kyverno.yaml) | [✔️](./tests/hostPID/kubewarden.yaml) | [✔️](./tests/hostPID/krail.yaml) |\n| [hostIPC](./tests/hostIPC) | [✔️](./tests/hostIPC/psp.yaml) | [✔️](./tests/hostIPC/pss.yaml) | [✔️](./tests/hostIPC/gatekeeper.yaml) | [✔️](./tests/hostIPC/kyverno.yaml) | [✔️](./tests/hostIPC/kubewarden.yaml) | [❌](./tests/hostIPC/krail.yaml) |\n| [hostNetwork](./tests/hostNetwork) | [✔️](./tests/hostNetwork/psp.yaml) | [✔️](./tests/hostNetwork/pss.yaml) | [✔️](./tests/hostNetwork/gatekeeper.yaml) | [✔️](./tests/hostNetwork/kyverno.yaml) | [✔️](./tests/hostNetwork/kubewarden.yaml) | [✔️](./tests/hostNetwork/krail.yaml) |\n| [hostPorts](./tests/hostPorts) | [✔️](./tests/hostPorts/psp.yaml) | [❌](./tests/hostPorts/pss.yaml) | [✔️](./tests/hostPorts/gatekeeper.yaml) | [✔️](./tests/hostPorts/kyverno.yaml) | [✔️](./tests/hostPorts/kubewarden.yaml) | [❌](./tests/hostPorts/krail.yaml) |\n| [volumes](./tests/volumes) | [✔️](./tests/volumes/psp.yaml) | [✔️](./tests/volumes/pss.yaml) | [✔️](./tests/volumes/gatekeeper.yaml) | [✔️](./tests/volumes/kyverno.yaml) | [✔️](./tests/volumes/kubewarden.yaml) | [❌](./tests/volumes/krail.yaml) |\n| [allowedHostPaths](./tests/allowedHostPaths) | [✔️](./tests/allowedHostPaths/psp.yaml) | [❌](./tests/allowedHostPaths/pss.yaml) | [✔️](./tests/allowedHostPaths/gatekeeper.yaml) | [✔️](./tests/allowedHostPaths/kyverno.yaml) | [✔️](./tests/allowedHostPaths/kubewarden.yaml) | [❌](./tests/allowedHostPaths/krail.yaml) |\n| [allowedFlexVolumes](./tests/allowedFlexVolumes) | [✔️](./tests/allowedFlexVolumes/psp.yaml) | [❌](./tests/allowedFlexVolumes/pss.yaml) | [✔️](./tests/allowedFlexVolumes/gatekeeper.yaml) | [✔️](./tests/allowedFlexVolumes/kyverno.yaml) | [✔️](./tests/allowedFlexVolumes/kubewarden.yaml) | [❌](./tests/allowedFlexVolumes/krail.yaml) |\n| [readOnlyRootFilesystem](./tests/readOnlyRootFilesystem) | [✔️](./tests/readOnlyRootFilesystem/psp.yaml) | [❌](./tests/readOnlyRootFilesystem/pss.yaml) | [✔️](./tests/readOnlyRootFilesystem/gatekeeper.yaml) | [✔️](./tests/readOnlyRootFilesystem/kyverno.yaml) | [✔️](./tests/readOnlyRootFilesystem/kubewarden.yaml) | [❌](./tests/readOnlyRootFilesystem/krail.yaml) |\n| [runAsUser](./tests/runAsUser) | [✔️](./tests/runAsUser/psp.yaml) | [❌](./tests/runAsUser/pss.yaml) | [✔️](./tests/runAsUser/gatekeeper.yaml) | [✔️](./tests/runAsUser/kyverno.yaml) | [✔️](./tests/runAsUser/kubewarden.yaml) | [❌](./tests/runAsUser/krail.yaml) |\n| [runAsGroup](./tests/runAsGroup) | [✔️](./tests/runAsGroup/psp.yaml) | [❌](./tests/runAsGroup/pss.yaml) | [✔️](./tests/runAsGroup/gatekeeper.yaml) | [✔️](./tests/runAsGroup/kyverno.yaml) | [✔️](./tests/runAsGroup/kubewarden.yaml) | [❌](./tests/runAsGroup/krail.yaml) |\n| [supplementalGroups](./tests/supplementalGroups) | [✔️](./tests/supplementalGroups/psp.yaml) | [❌](./tests/supplementalGroups/pss.yaml) | [✔️](./tests/supplementalGroups/gatekeeper.yaml) | [✔️](./tests/supplementalGroups/kyverno.yaml) | [✔️](./tests/supplementalGroups/kubewarden.yaml) | [❌](./tests/supplementalGroups/krail.yaml) |\n| [fsgroup](./tests/fsgroup) | [✔️](./tests/fsgroup/psp.yaml) | [❌](./tests/fsgroup/pss.yaml) | [✔️](./tests/fsgroup/gatekeeper.yaml) | [✔️](./tests/fsgroup/kyverno.yaml) | [✔️](./tests/fsgroup/kubewarden.yaml) | [❌](./tests/fsgroup/krail.yaml) |\n| [allowPrivilegeEscalation](./tests/allowPrivilegeEscalation) | [✔️](./tests/allowPrivilegeEscalation/psp.yaml) | [❌](./tests/allowPrivilegeEscalation/pss.yaml) | [✔️](./tests/allowPrivilegeEscalation/gatekeeper.yaml) | [✔️](./tests/allowPrivilegeEscalation/kyverno.yaml) | [✔️](./tests/allowPrivilegeEscalation/kubewarden.yaml) | [❌](./tests/allowPrivilegeEscalation/krail.yaml) |\n| [defaultAllowPrivilegeEscalation](./tests/defaultAllowPrivilegeEscalation) | [✔️](./tests/defaultAllowPrivilegeEscalation/psp.yaml) | [❌](./tests/defaultAllowPrivilegeEscalation/pss.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/gatekeeper.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/kyverno.yaml) | [✔️](./tests/defaultAllowPrivilegeEscalation/kubewarden.yaml) | [❌](./tests/defaultAllowPrivilegeEscalation/krail.yaml) |\n| [allowedCapabilities](./tests/allowedCapabilities) | [✔️](./tests/allowedCapabilities/psp.yaml) | [❌](./tests/allowedCapabilities/pss.yaml) | [✔️](./tests/allowedCapabilities/gatekeeper.yaml) | [✔️](./tests/allowedCapabilities/kyverno.yaml) | [✔️](./tests/allowedCapabilities/kubewarden.yaml) | [❌](./tests/allowedCapabilities/krail.yaml) |\n| [defaultAddCapabilities](./tests/defaultAddCapabilities) | [✔️](./tests/defaultAddCapabilities/psp.yaml) | [❌](./tests/defaultAddCapabilities/pss.yaml) | [✔️](./tests/defaultAddCapabilities/gatekeeper.yaml) | [✔️](./tests/defaultAddCapabilities/kyverno.yaml) | [✔️](./tests/defaultAddCapabilities/kubewarden.yaml) | [❌](./tests/defaultAddCapabilities/krail.yaml) |\n| [requiredDropCapabilities](./tests/requiredDropCapabilities) | [✔️](./tests/requiredDropCapabilities/psp.yaml) | [❌](./tests/requiredDropCapabilities/pss.yaml) | [✔️](./tests/requiredDropCapabilities/gatekeeper.yaml) | [✔️](./tests/requiredDropCapabilities/kyverno.yaml) | [✔️](./tests/requiredDropCapabilities/kubewarden.yaml) | [❌](./tests/requiredDropCapabilities/krail.yaml) |\n| [seLinux](./tests/seLinux) | [✔️](./tests/seLinux/psp.yaml) | [❌](./tests/seLinux/pss.yaml) | [✔️](./tests/seLinux/gatekeeper.yaml) | [✔️](./tests/seLinux/kyverno.yaml) | [✔️](./tests/seLinux/kubewarden.yaml) | [❌](./tests/seLinux/krail.yaml) |\n| [allowedProcMountTypes](./tests/allowedProcMountTypes) | [✔️](./tests/allowedProcMountTypes/psp.yaml) | [❌](./tests/allowedProcMountTypes/pss.yaml) | [✔️](./tests/allowedProcMountTypes/gatekeeper.yaml) | [✔️](./tests/allowedProcMountTypes/kyverno.yaml) | [✔️](./tests/allowedProcMountTypes/kubewarden.yaml) | [❌](./tests/allowedProcMountTypes/krail.yaml) |\n| [apparmor](./tests/apparmor) | [✔️](./tests/apparmor/psp.yaml) | [✔️](./tests/apparmor/pss.yaml) | [✔️](./tests/apparmor/gatekeeper.yaml) | [✔️](./tests/apparmor/kyverno.yaml) | [✔️](./tests/apparmor/kubewarden.yaml) | [✔️](./tests/apparmor/krail.yaml) |\n| [seccomp](./tests/seccomp) | [✔️](./tests/seccomp/psp.yaml) | [✔️](./tests/seccomp/pss.yaml) | [✔️](./tests/seccomp/gatekeeper.yaml) | [✔️](./tests/seccomp/kyverno.yaml) | [✔️](./tests/seccomp/kubewarden.yaml) | [❌](./tests/seccomp/krail.yaml) |\n| [forbiddenSysctls](./tests/forbiddenSysctls) | [✔️](./tests/forbiddenSysctls/psp.yaml) | [❌](./tests/forbiddenSysctls/pss.yaml) | [✔️](./tests/forbiddenSysctls/gatekeeper.yaml) | [✔️](./tests/forbiddenSysctls/kyverno.yaml) | [✔️](./tests/forbiddenSysctls/kubewarden.yaml) | [❌](./tests/forbiddenSysctls/krail.yaml) |\n| [allowedUnsafeSysctls](./tests/allowedUnsafeSysctls) | [✔️](./tests/allowedUnsafeSysctls/psp.yaml) | [❌](./tests/allowedUnsafeSysctls/pss.yaml) | [✔️](./tests/allowedUnsafeSysctls/gatekeeper.yaml) | [✔️](./tests/allowedUnsafeSysctls/kyverno.yaml) | [✔️](./tests/allowedUnsafeSysctls/kubewarden.yaml) | [❌](./tests/allowedUnsafeSysctls/krail.yaml) |\n\n## References\n\n- https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/\n- https://github.com/open-policy-agent/gatekeeper-library\n- https://kubernetes.io/docs/concepts/security/pod-security-standards/\n- https://github.com/open-policy-agent/gatekeeper\n- https://github.com/kyverno/kyverno\n- https://github.com/kyverno/policies\n- https://github.com/kubewarden/kubewarden-controller\n- https://hub.kubewarden.io/\n- https://github.com/cruise-automation/k-rail/blob/master/charts/k-rail/values.yaml\n- https://github.com/cruise-automation/k-rail\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappvia%2Fpsp-migration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fappvia%2Fpsp-migration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappvia%2Fpsp-migration/lists"}