Pod Security Standards

Pod Security Standards

Three policies from highly-permissive to highly-restrictive

Privileged Baseline Restricted

Pod Security Admission

Built-in admission controller for pod security

Cluster-wide enforcement of the Pod Security Standards

Successor of Pod Security Policies

Modes Description
enorce Violations cause a pod to be rejected
audit Violations will be recorded in the audit log
warn Violations will trigger user-facing message


Opt-in per namespace

Labels control operational mode:

pod-security.kubernetes.io/MODE: POLICY

Labels for all three modes for a single policy are supported


kyverno, the Kubernetes-native policy controller

OPA Gatekeeper, the general purpose policy engine

See also

Sigstore policy-controller

Focuses on verification of image signatures