- Kubernetes Pod Security Standards (PSS): https://kubernetes.io/docs/concepts/security/pod-security-standards/
- Pod Security Admission (PSA): https://kubernetes.io/docs/concepts/security/pod-security-admission/
- Kyverno policies: https://kyverno.io/docs/writing-policies/validate/pod-security/

- Privileged: least restrictive. Permits constructs like
HostPathandHostNetwork. Intended only for trusted system workloads requiring node-level access. - Baseline: a practical default for many applications. Blocks common host-privilege escalation vectors (e.g.,
hostIPC,hostPID,hostPath) while remaining compatible with typical workloads. - Restricted: most restrictive. Enforces best practices such as non-root containers, removal of default Linux capabilities, and syscall restrictions—best for security-sensitive workloads.


podSecurity sub-rule inside a standard (Cluster)Policy. This makes it simple to express and enforce a PSS profile across namespaces without manual namespace labeling.
Example: enforce the Baseline profile cluster-wide
This compact ClusterPolicy enforces the Baseline profile for Pods and Deployments:
validationFailureAction: enforce(policy-level) determines whether violations are blocked (enforce) or only logged (auditin some versions).- The
validate.podSecuritysub-rule triggers Kyverno’s PSS checks. levelmust be one ofprivileged,baseline, orrestricted.versionpins the PSS definitions (for example,latestor1.24) to keep behavior stable as standards evolve.
Use
version: latest to automatically use the most recent PSS definitions supported by your Kyverno version, or pin to a specific PSS version (for example 1.24) to maintain predictable validation behavior.podSecurity sub-rule is compact but comprehensive. For example, if a developer submits a Pod that sets hostIPC: true, the Baseline profile will block it:
enforce-baseline), the profile (baseline:latest), and the exact forbidden setting (hostIPC=true), making remediation straightforward.
Switching profiles
To move from Baseline to Restricted, update the level field. Only a single-line change is needed in the policy rule:
podSecurity sub-rule simplifies applying Kubernetes Pod Security Standards consistently across clusters. You can:
- Express PSS profiles in a single policy rule,
- Enforce profiles cluster-wide without manual namespace labeling,
- Provide developers with actionable error messages that pinpoint failing controls.
- Kyverno Pod Security validation: https://kyverno.io/docs/writing-policies/validate/pod-security/
- Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- Pod Security Admission: https://kubernetes.io/docs/concepts/security/pod-security-admission/