Pod Security Standards (PSS)

Overview

PSS provides policy-based enforcement for pod security across namespaces.

Security Modes

Mode	Description
Privileged	No restrictions
Baseline	Minimal restrictions
Restricted	Heavily restricted, best practice

Apply Baseline Policy

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Restricted Policy Requirements

Non-privileged containers

securityContext:
  privileged: false
  allowPrivilegeEscalation: false

Read-only root filesystem

securityContext:
  readOnlyRootFilesystem: true

Non-root user

securityContext:
  runAsNonRoot: true
  runAsUser: 10000

Example Compliant Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 10000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: nginx
    securityContext:
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

cloudnative wiki

Explorer

Pod Security Standards

Pod Security Standards (PSS)

Overview

Security Modes

Apply Baseline Policy

Restricted Policy Requirements

Non-privileged containers

Read-only root filesystem

Non-root user

Example Compliant Pod

References

Graph View

Table of Contents

Backlinks