Skip to content

Pod Security Standards

Replacing PSPs


The Kubernetes Pod Security Standards define different isolation levels for Pods, via profiles:

Profile Description
  • Unrestricted policy, providing the widest possible level of permissions
  • This policy allows for known privilege escalations
  • Minimally restrictive policy which prevents known privilege escalations
  • Allows the default (minimally specified) Pod configuration
  • Heavily restricted policy
  • Follows current Pod hardening best practices

Policy Instantiation

These profiles can be enforced in multiple ways:

Method Description
Native Pod Security Admission Controller (see below)
Third-party OPA Gatekeeper, Kyverno, Kubewarden (see Compliance as Code - Kubernetes)

Pod Security Admission

Kubernetes offers a built-in Pod Security Admission controller to enforce the Pod Security Standards:

  • Pod security restrictions are applied at the namespace level when pods are created
  • Requirements are placed on a Pod's Security Context according to the three profiles defined by the Pod Security Standards (privileged, baseline, and restricted)
  • Labels are used to define which of the predefined Pod Security Standard levels you want to use for a namespace
  • The label you select defines what action the control plane takes if a potential violation is detected:
Mode Description
enforce Policy violations will cause the pod to be rejected
audit Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed
warn Policy violations will trigger a user-facing warning, but are otherwise allowed

For each mode, there are two labels that determine the policy used:

# The per-mode level label indicates which policy level to apply for the mode.
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.<MODE>-version: <VERSION>
apiVersion: v1
kind: Namespace
  name: my-privileged-namespace
  labels: privileged latest
apiVersion: v1
kind: Namespace
  name: my-baseline-namespace
  labels: baseline latest baseline latest
apiVersion: v1
kind: Namespace
  name: my-restricted-namespace
  labels: restricted latest restricted latest