Skip to main content
πŸŽ“ Claude Code Masterclass Learn AI-assisted development on Udemy β€” plus the companion book on Leanpub & Amazon. Start Learning
Kubernetes Pod Security Standards: Restrict, Baseline, and Privileged
Platform Engineering

Kubernetes Pod Security Standards Explained

Enforce pod security with built-in admission control β€” replace PodSecurityPolicy with Pod Security Standards, OPA Gatekeeper, and Kyverno.

LB
Luca Berton
Β· 1 min read

The PodSecurityPolicy Deprecation

PodSecurityPolicy (PSP) was removed in Kubernetes 1.25. The replacement: Pod Security Standards (PSS) β€” built-in, no extra controllers needed.

Three Security Levels

LevelWhat It AllowsUse Case
PrivilegedEverythingSystem/infra pods (CNI, storage drivers)
BaselineSane defaults, blocks known escalationsGeneral workloads
RestrictedStrictest, runs as non-root, no capabilitiesSecurity-sensitive

Enable Per-Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    # Enforce restricted (reject violations)
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    # Warn on baseline violations (log but allow)
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/audit: restricted
---
apiVersion: v1
kind: Namespace
metadata:
  name: kube-system
  labels:
    # System namespace needs privileged
    pod-security.kubernetes.io/enforce: privileged

What Restricted Blocks

# ❌ This pod will be REJECTED in a restricted namespace
apiVersion: v1
kind: Pod
spec:
  containers:
    - name: app
      image: myapp
      securityContext:
        privileged: true          # ❌ Blocked
        runAsUser: 0              # ❌ Must be non-root
        allowPrivilegeEscalation: true  # ❌ Blocked
      volumeMounts:
        - name: host
          mountPath: /host
  volumes:
    - name: host
      hostPath:                   # ❌ Blocked
        path: /
# βœ… This pod PASSES restricted
apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: myapp
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        readOnlyRootFilesystem: true
        runAsUser: 1000

Migration from PSP

# 1. Audit what would break
kubectl label ns production pod-security.kubernetes.io/warn=restricted --dry-run=server

# 2. Check violations
kubectl get events --field-selector reason=FailedCreate -A | grep "violates PodSecurity"

# 3. Fix pods, then enforce
kubectl label ns production pod-security.kubernetes.io/enforce=restricted

Kyverno (Policy-as-Code Alternative)

For more granular control than built-in PSS:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-non-root
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-non-root
      match:
        resources:
          kinds: [Pod]
          namespaces: [production]
      validate:
        message: "Containers must run as non-root"
        pattern:
          spec:
            containers:
              - securityContext:
                  runAsNonRoot: true
                  allowPrivilegeEscalation: false

OPA Gatekeeper

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredSecurityContext
metadata:
  name: must-run-as-nonroot
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["production"]
  parameters:
    runAsNonRoot: true
    allowPrivilegeEscalation: false

Comparison

FeatureBuilt-in PSSKyvernoOPA Gatekeeper
No extra installβœ…βŒβŒ
Granularity3 levels onlyAny policyAny policy
MutationβŒβœ… (auto-fix)⚠️
Generate resourcesβŒβœ…βŒ
Learning curveLowMediumHigh (Rego)
PerformanceNative (fastest)FastMedium
  1. Start with PSS β€” label all namespaces (baseline for dev, restricted for prod)
  2. Add Kyverno β€” for policies PSS can’t express (image allowlists, label requirements)
  3. Audit mode first β€” warn before enforce
  4. Exempt system namespaces β€” kube-system, monitoring, cert-manager need privileged

Related Articles

Backstage: Build an Internal Developer Portal on Kubernetes
Platform Engineering

Backstage: Build an Internal Developer Portal on Kubernetes

Deploy Spotify's Backstage on Kubernetes β€” service catalog, software templates, TechDocs, and plugin ecosystem for platform engineering.

Cilium and eBPF: Next-Generation Kubernetes Networking and Security
Platform Engineering

Cilium & eBPF: Next-Gen Kubernetes Networking

Replace kube-proxy with Cilium β€” eBPF-powered networking, transparent encryption, network policies, and service mesh without sidecars.

CRI-O vs containerd: Kubernetes Container Runtime Guide
Platform Engineering

CRI-O vs containerd: Kubernetes Container Runtime Guide

CRI-O vs containerd β€” architecture differences, performance benchmarks, security posture, OCI compliance, and which runtime to choose for production Kubernetes.

Crossplane: Manage Cloud Infrastructure from Kubernetes
Platform Engineering

Crossplane: Manage Cloud Infrastructure from Kubernetes

Use Crossplane to provision AWS, Azure, and GCP resources with Kubernetes manifests. The universal cloud control plane for platform engineering teams.

All Articles

Free 30-min AI & Cloud consultation

Book Now