Pod Security Standards (PSS) replaced the deprecated PodSecurityPolicy in Kubernetes 1.25. They define three levels of security restrictions for pods.
The Three Levels
Privileged
No restrictions. Use only for system-level workloads that require full access.
Baseline
Prevents known privilege escalations. Suitable for most workloads.
Restrictions include:
- No privileged containers
- No hostNetwork, hostPID, hostIPC
- Limited volume types
- No sysctls outside allowed list
Restricted
Heavily restricted. Best for security-critical applications.
Additional restrictions:
- Must run as non-root
- Seccomp profile required
- All capabilities dropped
- Read-only root filesystem
Enabling Pod Security Standards
Apply labels to namespaces:
YAML
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedModes
- enforce: Reject pods that violate the policy
- audit: Log violations but allow pods
- warn: Show warnings to users
Migration Strategy
- Start with
warnmode to identify violations - Fix workloads to comply with standards
- Enable
auditmode to track in logs - Finally enable
enforcemode
Example Compliant Pod
YAML
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: truePod Security Standards provide a standardized way to enforce security across your cluster.