Orthogonal Thinking

Kubernetes Pod Security Standards for Production

Kubernetes Pod Security Standards for Production - Photo by Markus Winkler on Unsplash

Written by

Max L

in

Description: Explore a production-tested, security-first approach to implementing Kubernetes Pod Security Standards, ensuring robust DevSecOps practices.

Introduction to Kubernetes Pod Security Standards

It was a quiet Thursday afternoon—or so I thought. I was reviewing logs when I noticed something odd: a privileged container running in our production cluster. Turns out, someone had deployed it with overly permissive settings during a rushed release. That single misstep could have been catastrophic if exploited. This is why Kubernetes Pod Security Standards (PSS) are non-negotiable in production environments.

Pod Security Standards are Kubernetes’ way of enforcing security policies at the pod level. They define what pods can and cannot do, ensuring your cluster isn’t a playground for attackers. But here’s the catch: implementing PSS correctly requires more than just flipping a switch. It demands thoughtful planning, testing, and integration into your DevSecOps workflows.

Understanding the Three Pod Security Modes

Kubernetes Pod Security Standards offer three modes: Privileged, Baseline, and Restricted. Each mode serves a different purpose, and understanding them is key to securing your cluster.

  • Privileged: The “anything goes” mode. Pods have unrestricted access to host resources, which is great for debugging but a nightmare for security. Avoid this in production.
  • Baseline: The middle ground. It restricts dangerous capabilities like host networking but allows common configurations. Suitable for most workloads.
  • Restricted: The gold standard for security. It enforces strict policies, preventing privilege escalation, host access, and unsafe configurations. Ideal for sensitive workloads.

🔐 Security Note: Always aim for Restricted mode in production unless you have a compelling reason to use Baseline. Privileged mode should only be used for debugging or testing in isolated environments.

Implementing Pod Security Standards in Production

Applying PSS policies in a real-world Kubernetes cluster can be challenging, but it’s worth the effort. Here’s how to do it:

Step 1: Define Your Policies

Start by defining Pod Security Standards in YAML files. For example:

apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'secret'


This policy enforces the Restricted mode, ensuring pods can’t escalate privileges or access the host.


Step 2: Apply Policies to Namespaces


Assign policies to namespaces based on workload sensitivity. For example:

    

        

            

                📚 Continue Reading
            

            

                Sign in with your Google or Facebook account to read the full article.
                
It takes just 2 seconds!
            

            
            

                Already have an account? Log in here

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

Home · About · Privacy Policy · Terms of Service
© 2026 Orthogonal Info. All rights reserved.