How to enforce Pod Security Standards in Kubernetes
Pod Security Admission enforces baseline or restricted profiles per namespace via labels. Start with warn and audit, harden the pod security context, then enforce and confirm non-compliant pods are rejected.
Enforcing Pod Security Standards
Pod Security Standards define three levels: privileged (unrestricted), baseline (blocks known privilege escalations), and restricted (hardened best practice). The built-in Pod Security Admission controller enforces a level per namespace via labels, with modes to enforce, audit, or warn.
Prerequisites
- A cluster with Pod Security Admission enabled (default in recent versions).
- Cluster admin access to label namespaces.
Steps
1. Understand the three profiles
Use baseline to block obvious risks like host networking, and restricted to require dropping capabilities, running as non-root, and a seccomp profile.
2. Audit a namespace first
Start non-disruptive. Audit and warn report violations without blocking, so you learn what would break before enforcing.
3. Add warn and audit labels
kubectl label namespace app \
pod-security.kubernetes.io/warn=restricted \
pod-security.kubernetes.io/audit=restricted
Apply workloads and read the warnings.
4. Harden pod security context
Update pods to satisfy restricted:
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop: ["ALL"]
5. Enforce the restricted level
Once workloads comply, switch to enforce:
kubectl label namespace app \
pod-security.kubernetes.io/enforce=restricted --overwrite
Non-compliant pods are now rejected at admission.
6. Verify rejected pods
Try to create a privileged pod and confirm it is denied with a clear policy message.
Verification
Apply a compliant workload and confirm it runs. Apply a pod that runs as root or requests added capabilities and confirm the API rejects it. The audit and warn labels should stop reporting violations once everything complies.
Next Steps
For policy beyond the three built-in levels, add a policy engine such as Kyverno or OPA Gatekeeper. Combine Pod Security with RBAC, network policies, and image scanning for layered defense.
Prerequisites
- A Kubernetes cluster
- Cluster admin access
- Workloads to harden
Steps
- 1Understand the three profiles
- 2Audit a namespace first
- 3Add warn and audit labels
- 4Harden pod security context
- 5Enforce the restricted level
- 6Verify rejected pods