Kubernetes Pod Security Standards Guide
Implement Pod Security Standards with Pod Security Admission. Privileged, baseline, and restricted profiles, namespace labels.
π‘ Quick Answer: Label namespaces with
pod-security.kubernetes.io/enforce: restrictedto enforce Pod Security Standards. Start withwarnmode to audit violations, then switch toenforcewhen clean.
The Problem
PodSecurityPolicy was removed in K8s 1.25. Its replacement, Pod Security Admission (PSA), uses namespace labels to enforce three security levels: privileged (no restrictions), baseline (prevents known escalations), and restricted (hardened). Teams need a migration path.
The Solution
Security Levels
| Level | Description | Use Case |
|---|---|---|
| privileged | No restrictions | System components, CNI, CSI |
| baseline | Prevents known escalations | General workloads |
| restricted | Hardened security posture | Multi-tenant, regulated environments |
Namespace Labels
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/audit: restricted
---
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/warn: restrictedRestricted-Compliant Pod
apiVersion: v1
kind: Pod
metadata:
name: secure-app
namespace: production
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: registry.example.com/app:1.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsUser: 1000graph TD
NS[Namespace Label<br/>enforce: restricted] -->|Pod Create| PSA[Pod Security Admission]
PSA -->|Check against profile| CHECK{Compliant?}
CHECK -->|Yes| ALLOW[β
Pod created]
CHECK -->|No| DENY[β Rejected<br/>Forbidden: violates restricted]Common Issues
βviolates PodSecurity restrictedβ β pods rejected
Common violations: missing runAsNonRoot, seccompProfile not set, capabilities not dropped. Check warning messages for specific fields.
System namespaces need privileged
Label kube-system, kube-node-lease, and operator namespaces as privileged. Donβt enforce restricted on system components.
Best Practices
- Start with
warnmode β see violations without blocking - Enforce
restrictedon all application namespaces β most apps can comply baselinefor monitoring/logging β Prometheus/Fluentd may need host accessprivilegedonly for system namespaces β kube-system, CNI, CSI operators- Pin
enforce-versionto prevent surprise failures on K8s upgrades
Key Takeaways
- PSA replaces PodSecurityPolicy with namespace-level enforcement
- Three levels: privileged (none), baseline (sane defaults), restricted (hardened)
- Use
warn+auditlabels to discover violations before enforcing - Restricted-compliant pods need: runAsNonRoot, drop ALL caps, seccomp RuntimeDefault, no privilege escalation
- System namespaces must remain privileged β donβt lock out cluster components
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.