Skip to main content

Pod Security Standards

Applying restricted pod security profiles to reduce container breakout and privilege escalation risk.


Pod Security Standards

Profiles (Kubernetes built-in)

ProfileUse case
PrivilegedSystem daemons only
BaselineMinimize known privilege escalations
RestrictedHardened workloads (recommended default)

Restricted profile highlights

  • Run as non-root user
  • Drop all capabilities; add only required caps
  • readOnlyRootFilesystem: true where possible
  • No hostPath / hostNetwork / hostPID

Example deployment snippet

securityContext: runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault containers: - name: app securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"]

Enforcement

Enable Pod Security admission at namespace level:

labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted

Migration path

  1. Audit existing workloads with kube-bench / Polaris
  2. Fix top offenders in staging
  3. Enforce warn → audit → enforce over 2–3 sprints