Skip to main content

How to enforce Pod Security Standards in Kubernetes

Pod Security Admission enforces baseline or restricted profiles per namespace via labels. Start with warn and audit, harden the pod security context, then enforce and confirm non-compliant pods are rejected.

Difficulty
Intermediate
Duration
35 minutes
Steps
6

Enforcing Pod Security Standards

Pod Security Standards define three levels: privileged (unrestricted), baseline (blocks known privilege escalations), and restricted (hardened best practice). The built-in Pod Security Admission controller enforces a level per namespace via labels, with modes to enforce, audit, or warn.

Prerequisites

  • A cluster with Pod Security Admission enabled (default in recent versions).
  • Cluster admin access to label namespaces.

Steps

1. Understand the three profiles

Use baseline to block obvious risks like host networking, and restricted to require dropping capabilities, running as non-root, and a seccomp profile.

2. Audit a namespace first

Start non-disruptive. Audit and warn report violations without blocking, so you learn what would break before enforcing.

3. Add warn and audit labels

kubectl label namespace app \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/audit=restricted

Apply workloads and read the warnings.

4. Harden pod security context

Update pods to satisfy restricted:

securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop: ["ALL"]

5. Enforce the restricted level

Once workloads comply, switch to enforce:

kubectl label namespace app \
  pod-security.kubernetes.io/enforce=restricted --overwrite

Non-compliant pods are now rejected at admission.

6. Verify rejected pods

Try to create a privileged pod and confirm it is denied with a clear policy message.

Verification

Apply a compliant workload and confirm it runs. Apply a pod that runs as root or requests added capabilities and confirm the API rejects it. The audit and warn labels should stop reporting violations once everything complies.

Next Steps

For policy beyond the three built-in levels, add a policy engine such as Kyverno or OPA Gatekeeper. Combine Pod Security with RBAC, network policies, and image scanning for layered defense.

Prerequisites

  • A Kubernetes cluster
  • Cluster admin access
  • Workloads to harden

Steps

  • 1
    Understand the three profiles
  • 2
    Audit a namespace first
  • 3
    Add warn and audit labels
  • 4
    Harden pod security context
  • 5
    Enforce the restricted level
  • 6
    Verify rejected pods

Category

Security