Pod Security Standards

Pod Security Standards

Successor of Pod Security Policies

Manages security context (among other things)

spec:
  securityContext:
    fsGroup: <integer>
    runAsGroup: <integer>
    runAsNonRoot: <boolean>
    runAsUser: <integer>
spec:
  containers:
  - securityContext:
      allowPrivilegeEscalation: <boolean>
      capabilities: <Object>
      privileged: <boolean>
      readOnlyRootFilesystem: <boolean>
      runAsGroup: <integer>
      runAsNonRoot: <boolean>
      runAsUser: <integer>

Policies

Three policies from highly-permissive to highly-restrictive

Privileged Baseline Restricted


Pod Security Admission

Built-in admission controller for pod security

Enabled by default

Cluster-wide enforcement of the Pod Security Standards

Modes Description
enforce Violations cause a pod to be rejected
audit Violations will be recorded in the audit log
warn Violations will trigger user-facing message

Enforce without audit or warn = fail quietly

Enforce with audit or warn = fail with admin log or with user message

Enforce with audit and warn = fail with both admin log and user message

No enforce but audit = succeed but learn about possible outcome


Demo: Pod Security Standard

Opt-in per namespace

Labels control operational mode:

pod-security.kubernetes.io/MODE: POLICY

Labels for all three modes for a single policy are supported

See here for demos