Pod Security Standards
What is Pod Security Standards?
Pod Security StandardsPod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
PSS specifies three cumulative profiles. Privileged is unrestricted and intended only for system pods. Baseline blocks the most well-known escalations, such as hostNetwork, hostPID, hostPath, privileged containers, and dangerous capabilities. Restricted enforces hardening best practices: runAsNonRoot, read-only root filesystem, seccomp RuntimeDefault, dropping ALL capabilities except NET_BIND_SERVICE, and disallowing host namespaces or unsafe volumes. The Pod Security admission controller enforces these profiles per-namespace in three modes — enforce, audit, warn. PSS is the upstream replacement for PodSecurityPolicy and is typically combined with OPA Gatekeeper or Kyverno for richer policy.
● Examples
- 01
Labelling a namespace pod-security.kubernetes.io/enforce: restricted.
- 02
PSA rejecting a pod that requests CAP_SYS_ADMIN in a baseline-enforced namespace.
● Frequently asked questions
What is Pod Security Standards?
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy. It belongs to the Cloud Security category of cybersecurity.
What does Pod Security Standards mean?
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
How does Pod Security Standards work?
PSS specifies three cumulative profiles. Privileged is unrestricted and intended only for system pods. Baseline blocks the most well-known escalations, such as hostNetwork, hostPID, hostPath, privileged containers, and dangerous capabilities. Restricted enforces hardening best practices: runAsNonRoot, read-only root filesystem, seccomp RuntimeDefault, dropping ALL capabilities except NET_BIND_SERVICE, and disallowing host namespaces or unsafe volumes. The Pod Security admission controller enforces these profiles per-namespace in three modes — enforce, audit, warn. PSS is the upstream replacement for PodSecurityPolicy and is typically combined with OPA Gatekeeper or Kyverno for richer policy.
How do you defend against Pod Security Standards?
Defences for Pod Security Standards typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pod Security Standards?
Common alternative names include: PSS, Pod Security Admission, PSA.
● Related terms
- cloud-security№ 597
Kubernetes Admission Controller
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
- cloud-security№ 757
OPA Gatekeeper
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- cloud-security№ 602
Kyverno
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
- cloud-security№ 599
Kubernetes Network Policy
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
- cloud-security№ 582
Kata Containers
Kata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- cloud-security№ 455
gVisor
gVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.