Pod Security Standards Overview
Pod Security Standards (PSS) define minimum security requirements for pods. They replace the deprecated Pod Security Policy (PSP) and provide built-in protection against common attack vectors like privilege escalation, unsafe capabilities, and unrestricted filesystem access.
💡 Key Insight: PSS provides three levels: Unrestricted, Baseline, and Restricted.
Use Restricted for production workloads.
PSS Levels
1. Unrestricted
Allows all pod operations (default Kubernetes behavior):
- Privileged containers
- All Linux capabilities
- Full filesystem access
- No restrictions
2. Baseline
Prevents known privilege escalations:
- No privileged containers
- No privilege escalation (allowPrivilegeEscalation: false)
- No host path access
- Allows common capabilities
3. Restricted
Enforces strict security standards:
- No privileged containers
- No privilege escalation
- No host path access
- No host networking
- Limited capabilities (only NET_BIND_SERVICE)
- Must run as non-root
- Read-only root filesystem
Implementing PSS
Enforce at Namespace Level
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Restricted Pod Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
serviceAccountName: restricted-account
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
Security Context Options
| Setting | Purpose |
|---|---|
| runAsNonRoot | Requires containers to run as non-root user |
| allowPrivilegeEscalation | Prevents privilege escalation via SUID |
| readOnlyRootFilesystem | Prevents modifications to root filesystem |
| capabilities | Controls Linux capabilities granted to container |
| seccompProfile | Restricts system calls available to container |
Best Practices
- Enforce Restricted PSS: Enable for production namespaces
- Use Audit Mode: Enable audit mode before enforcement
- Gradual Migration: Migrate applications progressively
- Use Service Accounts: Create per-application service accounts
- Non-Root User: Always run containers as non-root
- Read-Only Root: Use read-only root filesystems when possible
- Drop Capabilities: Drop all capabilities, add only needed ones
⚠️ Important: Some legacy applications may not work with Restricted PSS.
Test thoroughly in Baseline mode first.
Troubleshooting PSS Issues
Pod Rejected by PSS
Solution: Check the pod's security context and adjust to meet the policy level
Application Won't Start
Solution: Check logs for capability or permission errors, adjust security context
Permission Denied Errors
Solution: Add temporary write volumes using emptyDir for application needs