Kubernetesdevops~5 mins

Pod security standards in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Pod security standards help keep your Kubernetes pods safe by setting rules about what pods can and cannot do. They protect your cluster from risky or harmful pod configurations.

When you want to prevent pods from running as root user to improve security.

When you need to restrict pods from accessing the host network or host filesystem.

When you want to enforce consistent security settings across all pods in a namespace.

When you want to block pods that use privileged containers or dangerous capabilities.

When you want to apply different security levels for development and production environments.

Config File - pod-security-standards.yaml

pod-security-standards.yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false

This PodSecurityPolicy named restricted-psp sets strict rules:

privileged: false disallows privileged containers.
allowPrivilegeEscalation: false blocks privilege escalation.
requiredDropCapabilities: ALL drops all extra Linux capabilities.
volumes limits allowed volume types.
hostNetwork, hostIPC, hostPID: false prevents pods from using host namespaces.
runAsUser: MustRunAsNonRoot forces pods to run as non-root users.
supplementalGroups and fsGroup enforce group ID ranges.

This policy helps enforce the restricted Pod Security Standard.

Commands

This command applies the PodSecurityPolicy to the Kubernetes cluster, creating the restricted security rules for pods.

Terminal

kubectl apply -f pod-security-standards.yaml

Expected OutputExpected

podsecuritypolicy.policy/restricted-psp created

This command retrieves and shows the details of the applied PodSecurityPolicy to verify it was created correctly.

Terminal

kubectl get podsecuritypolicy restricted-psp -o yaml

Expected OutputExpected

apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false

→

-o yaml - Outputs the policy details in YAML format for easy reading

This command checks if your current user or service account has permission to use the restricted PodSecurityPolicy.

Terminal

kubectl auth can-i use podsecuritypolicy restricted-psp

Expected OutputExpected

yes

Key Concept

If you remember nothing else from this pattern, remember: Pod security standards set clear rules to keep pods safe by limiting risky permissions and actions.

Common Mistakes

Not applying the PodSecurityPolicy to the correct namespace or user roles.

The policy exists but pods or users cannot use it, so security is not enforced.

Bind the PodSecurityPolicy to the right namespaces and user roles using RoleBindings or ClusterRoleBindings.

Allowing privileged containers or running pods as root unintentionally.

This opens security risks like privilege escalation or host access.

Set privileged to false and runAsUser rule to MustRunAsNonRoot in the policy.

Summary

Create a PodSecurityPolicy YAML file that defines strict security rules for pods.

Apply the policy to the cluster using kubectl apply.

Verify the policy is created and check permissions with kubectl commands.