Skip to content

Pod Security Standards

Replacing PSPs

Profiles

The Kubernetes Pod Security Standards define different isolation levels for Pods, via profiles:

Profile Description
Privileged
  • Unrestricted policy, providing the widest possible level of permissions
  • This policy allows for known privilege escalations
Baseline
  • Minimally restrictive policy which prevents known privilege escalations
  • Allows the default (minimally specified) Pod configuration
Restricted
  • Heavily restricted policy
  • Follows current Pod hardening best practices

Policy Instantiation

These profiles can be enforced in multiple ways:

Method Description
Native Pod Security Admission Controller (see below)
Third-party OPA Gatekeeper, Kyverno, Kubewarden (see Compliance as Code - Kubernetes)

Pod Security Admission

Kubernetes offers a built-in Pod Security Admission controller to enforce the Pod Security Standards:

  • Pod security restrictions are applied at the namespace level when pods are created
  • Requirements are placed on a Pod's Security Context according to the three profiles defined by the Pod Security Standards (privileged, baseline, and restricted)
  • Labels are used to define which of the predefined Pod Security Standard levels you want to use for a namespace
  • The label you select defines what action the control plane takes if a potential violation is detected:
Mode Description
enforce Policy violations will cause the pod to be rejected
audit Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed
warn Policy violations will trigger a user-facing warning, but are otherwise allowed

For each mode, there are two labels that determine the policy used:

# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>
apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest
apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest