Pod Security Standards (PSS)

Why Pod Security Standards

Picture a busy airport. Planes (pods) take off daily, but not every plane should have unrestricted access to runways, fuel depots, or control towers. Without rules, accidents or breaches would be inevitable. Kubernetes faced the same challenge: pods are powerful, but if misconfigured, they can escalate privileges, access host resources, or compromise the cluster.

Pod Security Standards (PSS) were born as the aviation safety rules of Kubernetes, ensuring workloads run with the right level of privilege and isolation.

Pod Security Standards

PSS defines three levels of security policies:

Privileged:
- Broad permissions, minimal restrictions.
- Use Case: Trusted system workloads (e.g., CNI plugins).
- Analogy: Privileged pods are like emergency aircraft - allowed to bypass normal restrictions but only when necessary.
Baseline:
- Restricts known privilege escalations but allows common pod configurations.
- Use Case: General workloads that don’t need host access.
- Analogy: Baseline pods are like commercial flights - safe, regulated, but flexible enough for daily operations.
Restricted:
- Enforces strict isolation, disallows privilege escalation, requires non‑root users.
- Use Case: Sensitive workloads requiring maximum security.
- Analogy: Restricted pods are like cargo planes carrying hazardous materials - operating under the tightest safety rules.

Global Context

Enterprises: Use PSS to enforce compliance and prevent misconfigured pods from compromising clusters.
Cloud Providers: Managed Kubernetes services integrate Pod Security Standards with admission controllers.
Community: PSS replaced PodSecurityPolicies (PSPs), simplifying security enforcement across clusters.

Hands‑On Exercise

Reflect: How does enforcing PSS prevent unsafe workloads from running in sensitive namespaces?

Try deploying a privileged pod:

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  namespace: dev-team
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      privileged: true

kubectl apply -f privileged-pod.yaml

→ This will be denied due to the restricted policy.

Apply a restricted policy to a namespace:

kubectl label namespace dev-team pod-security.kubernetes.io/enforce=restricted

The Hacker’s Notebook

Privileged pods are exceptions - use sparingly.
Baseline pods are defaults - safe for most workloads.
Restricted pods are fortresses - maximum isolation for sensitive apps.
Lesson for engineers: Don’t trust workloads blindly - enforce standards.
Hacker’s mindset: Treat PSS as your safety net. With it, you can prevent misconfigurations from becoming breaches.

Tips, Tricks, Roadmaps, Resources, Networking, Motivation, Guidance, and Cool Stuff ♥

Updated on Dec 29, 2025

Module 1: Kubernetes Foundations

Module 2: Kubernetes Starter

Module 3: Workloads & Scheduling

Module 4: Networking & Services

Module 5: Storage & Configs

Module 6: Security & RBAC

Module 7: Scaling & Availability

Module 8: Observability Stack

Module 9: Advanced Kubernetes

Module 10: Real‑World Workflows

Module 11: Capstone Project

Module 12: Kubernetes Cheatsheet