PSS
Definition
PSS, or Pod Security Standards, are a set of guidelines in Kubernetes that define different levels of security policies for pods. These standards help ensure that pods are running with the least privilege necessary, reducing the risk of security vulnerabilities. PSS is typically categorized into three levels: Privileged, Baseline, and Restricted, each offering varying degrees of security controls to protect the Kubernetes environment.
Secure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
capabilities:
drop:
- ALL
containers:
- name: secure-container
image: nginx:latest
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
Insecure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
securityContext:
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
containers:
- name: insecure-container
image: nginx:latest
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true