Pod Security Standards
Applying restricted pod security profiles to reduce container breakout and privilege escalation risk.
Pod Security Standards
Profiles (Kubernetes built-in)
| Profile | Use case |
|---|---|
| Privileged | System daemons only |
| Baseline | Minimize known privilege escalations |
| Restricted | Hardened workloads (recommended default) |
Restricted profile highlights
- Run as non-root user
- Drop all capabilities; add only required caps
readOnlyRootFilesystem: truewhere possible- No hostPath / hostNetwork / hostPID
Example deployment snippet
securityContext:
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]Enforcement
Enable Pod Security admission at namespace level:
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedMigration path
- Audit existing workloads with kube-bench / Polaris
- Fix top offenders in staging
- Enforce warn → audit → enforce over 2–3 sprints