Pod Security Standards

Kubernetes Pod Security Standards define three progressively restrictive security profiles that control what pods are allowed to do.

The Three Levels

Privileged: Unrestricted policy. Allows all pod configurations including host namespaces and privileged containers. Used only for system-level workloads like CNI plugins.

Baseline: Prevents known privilege escalations. Blocks hostNetwork, hostPID, privileged containers, and most host path mounts while remaining compatible with common applications.

Restricted: Heavily restricted. Requires running as non-root, dropping all capabilities, using read-only root filesystems, and setting a seccomp profile.

Pod Security Admission

Pod Security Admission (PSA) enforces these standards at the namespace level using labels:

# Enforce restricted standard (reject violating pods)
kubectl label namespace production \
  pod-security.kubernetes.io/enforce=restricted

# Warn on baseline violations (allow but show warnings)
kubectl label namespace staging \
  pod-security.kubernetes.io/warn=baseline

# Audit mode logs violations without blocking
kubectl label namespace dev \
  pod-security.kubernetes.io/audit=baseline

Testing Compliance

Check if your pods comply before enforcing:

# Dry-run to test if pods would be admitted
kubectl label namespace production \
  pod-security.kubernetes.io/enforce=restricted \
  --dry-run=server --overwrite

# List current security labels on namespaces
kubectl get namespaces -L \
  pod-security.kubernetes.io/enforce,\
  pod-security.kubernetes.io/warn

Common Restricted Requirements

Pods must meet these criteria under the restricted profile:

# Check if a pod runs as non-root
kubectl get pod myapp -o jsonpath='{.spec.containers[*].securityContext}'

# Describe a pod to inspect security settings
kubectl describe pod myapp | grep -A5 "Security Context"

Start with audit mode, address violations, then move to warn, and finally enforce. This gradual approach avoids breaking running workloads.