Mastering Pod Security Standards in Kubernetes
Pod Security Standards exist to address the critical need for security in Kubernetes environments. As containerized applications grow, so do the risks associated with misconfigurations and privilege escalations. These standards provide a framework to enforce security policies that can help you mitigate these risks effectively.
The Pod Security Standards define three distinct policies: Privileged, Baseline, and Restricted. The Privileged policy is wide open, allowing for known privilege escalations, which is useful in specific scenarios but risky in production. The Baseline policy strikes a balance, preventing known privilege escalations while allowing a default pod configuration that is easy to adopt. Finally, the Restricted policy enforces stringent hardening best practices, which may limit compatibility but significantly enhance security. Key configuration parameters include disallowing HostProcess containers in the Baseline policy and forbidding HostPath volumes entirely. You can configure security contexts at the container level, ensuring that all containers in a pod adhere to the specified security standards.
In production, be aware that if any container within a pod fails to meet the security requirements, the entire pod will fail validation. This means you must ensure all containers are compliant, which can complicate deployments. The standards are stable as of Kubernetes v1.26, so make sure your clusters are up to date to leverage these features effectively.
Key takeaways
- →Understand the differences between Privileged, Baseline, and Restricted policies.
- →Disallow HostProcess containers in the Baseline policy to prevent privilege escalations.
- →Forbid HostPath volumes to enhance pod security.
- →Ensure all containers in a pod meet security requirements to avoid validation failures.
- →Apply the RuntimeDefault AppArmor profile on supported hosts for added security.
Why it matters
Implementing Pod Security Standards can drastically reduce the attack surface of your Kubernetes clusters, protecting sensitive workloads from unauthorized access and privilege escalation.
Code examples
spec.containers[*].securityContextspec.volumes[*].hostPathspec.securityContext.seccompProfile.typeWhen NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsUnified observability — logs, uptime monitoring, and on-call in one place. Used by 50,000+ engineering teams to ship faster and sleep better.
Try Better Stack free →Extend Your CKA Certification: The Power of CKS
Want to keep your Kubernetes Administrator certification current? Passing the Certified Kubernetes Security Specialist (CKS) exam now extends your CKA certification. This new feature simplifies credential maintenance for cloud-native professionals.
Building a Multi-Agent Security Platform on Kubernetes: Why Cloud Native is Key
Cloud-native architecture is essential for deploying agentic AI effectively. Discover how using the A2A protocol and mTLS can enhance inter-agent communication and security in your Kubernetes environment.
Locking Down Dependencies in CI/CD: A Must for Open Source Projects
In the world of open source, securing your CI/CD pipeline is non-negotiable. Pinning GitHub Actions by SHA digest is a critical step to prevent compromised code from sneaking into your workflows. Let's dive into how to implement this effectively.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.