Pod Security Standards

Jan 1, 0001

Definition

Pod Security Standards (PSS) are a set of predefined security policies in Kubernetes that help ensure pods are running with appropriate security configurations. These standards categorize security controls into three levels: Privileged, Baseline, and Restricted, each progressively enforcing stricter security measures. The goal is to guide Kubernetes users in applying security best practices to their workloads, reducing the risk of vulnerabilities and unauthorized access.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: secure-container
    image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: nginx:latest
    securityContext:
      privileged: true
      allowPrivilegeEscalation: true

Pod Security Standards

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter