Checking PoDSecurityPolicy status in a GKE Cluster

Question

How to check if PoDSecurityPolicy is enabled on a GKE cluster or not ? Using gcloud container clusters describe <clustername>, I could not find anything.

If I enable it on a cluster where this plugin is already enabled, it displays that the plugin has been enabled so there is no way actually to know that if plugin is already enabled on a cluster

 $ gcloud beta container clusters update mycluster --enable-pod-security-policy --zone us-east1-c
 Updating podsecpolicy-poc...done.
 Updated [https://container.googleapis.com/v1beta1/projects/<project>/zones/us-east1-c/clusters/mycluster].

Answer 1

Since PodSecurityPolicy is still a beta feature in GKE, it can only be accessed by GKE beta API. To check if PodSecurityPolicy controller is enabled on your GKE cluster, run:

$ gcloud beta container clusters describe <cluster-name> --zone=<zone> --format json | jq '.podSecurityPolicyConfig'

Sample command with its result:

$ gcloud beta container clusters describe my-gke-cluster --zone=europe-west4-c --format json | jq '.podSecurityPolicyConfig'
{
  "enabled": true
}

Update:

When PodSecurityPolicy is not enabled on GKE cluster, the above query returns:

null

as there is no podSecurityPolicyConfig section available. You can also serch for it with grep. If PodSecurityPolicy is enabled, the result will look as follows:

$ gcloud beta container clusters describe my-gke-cluster --zone=europe-west4-c | grep -iA 1 podsecuritypolicy
podSecurityPolicyConfig:
  enabled: true

If it is not, you won't find this section at all.