⌂ Home
Pod Security Standards
Interactive guide to Privileged, Baseline, Restricted profiles and enforce, audit, warn modes in Pod Security Admission.
Pod Security Admission replaced PodSecurityPolicy with a simpler namespace-label model. The real learning goal is understanding profile levels and enforcement modes together.
Concept
PSS Levels
Admission Flow
Namespace Policies
Flow
Examples
Compare
Practice
Core Model
Understand the Concept First
Three profiles
Privileged, Baseline, and Restricted define increasing levels of hardening.
Namespace-level labels
Pod Security Admission uses namespace labels to set desired policy behavior.
Three modes
enforce rejects, audit records, and warn notifies without blocking.
Security Profiles
Pod Security Standards Levels Comparison
Click on any security level to see detailed restrictions and allowed capabilities.
Privileged
No Restrictions
ð
â Host namespaces allowed
â Privileged containers
â Host path volumes
â All capabilities
â Run as root
â Any user/group ID
Use: System workloads
Baseline
Minimally Restrictive
â ïļ
â No privileged containers
â Limited host namespaces
â Limited capabilities
â No host path volumes
â Can run as root
â Any user/group ID
Use: General applications
Restricted
Hardened Security
ð
â No privileged containers
â No host access
â All capabilities dropped
â Must run as non-root
â Drop ALL capabilities
â seccompProfile required
Use: Security-sensitive apps
Select a level to see details
Security Progression: Privileged allows everything â Baseline blocks common escalations â Restricted enforces defense-in-depth hardening
Policy Enforcement
Pod Security Admission Flow
See how different enforcement modes affect pod admission outcomes.
Enforce Mode
Audit Mode
Warn Mode
Pod Request
User submits
Pod manifest
API Server
Receives
request
PSA Controller
Checks namespace
labels for policy
Evaluate against:
Security Profile
â Allowed
Pod meets
security standards
â Denied
Pod violates
security policy
ð Logged
Violation recorded
Pod still created
â ïļ Warning
User notified
Pod still created
Enforce Mode
Pods that violate the policy are rejected and not created.
Migration Strategy: Start with warn to see violations â Add audit to log them â Finally enable enforce when ready
Multi-Namespace Policies
Namespace Policy Visualization
Different namespaces can have different security policies. Click each namespace to see its configuration.
production
staging
development
kube-system
Kubernetes Cluster
production (Restricted) ð
Labels:
enforce: restricted
audit: restricted
warn: restricted
Security Requirements:
â No privileged containers
â Must run as non-root
â Drop all capabilities
staging (Baseline) â ïļ
Labels:
enforce: baseline
audit: baseline
warn: restricted
Security Requirements:
â No privileged containers
â Limited host access
â Can run as root
development (Baseline) â ïļ
Labels:
enforce: baseline
audit: baseline
warn: baseline
Security Requirements:
â No privileged containers
â Limited capabilities
â More permissive
kube-system (Privileged) ð
Labels:
enforce: privileged
audit: privileged
warn: privileged
Security Requirements:
â All capabilities allowed
â Host access permitted
â System components
Running Pods
web-app
non-root user
api-server
seccomp enabled
database
read-only root
Best Practices
âĒ Use restricted for production workloads
âĒ Use baseline for development/staging
âĒ Reserve privileged for system namespaces
âĒ Test with warn/audit before enforce
âĒ Document exceptions explicitly
Privileged vs Restricted
Feature
Privileged
Restricted
Root user
â
â
Host access
â
â
Capabilities
All
None
Seccomp
Optional
Required
Lifecycle Flow
Namespace Policy Enforcement Flow
1
Label namespace
Set enforce, audit, and warn levels through namespace labels.
2
Submit Pod or workload
A user creates a Pod or a controller creates one on the namespaceââŽâĒs behalf.
3
Admission checks profile
Kubernetes compares the workload against the selected security profile.
4
Allow, warn, or reject
The request outcome depends on which mode is configured.
The most useful migration path is often to start with warn or audit before moving to strict enforce mode.
YAML and Commands
Examples You Can Recognize Quickly
Namespace Labels
pod-security.kubernetes.io/enforce=restricted
Useful Commands
kubectl label namespace pss-restricted pod-security.kubernetes.io/enforce=restricted
Decision Guide
Profile Comparison
Profile
Security posture
Typical use
Privileged
Minimal restriction
Trusted system workloads
Baseline
Blocks common privilege escalation risks
General application workloads
Restricted
Strong hardening expectations
Security-sensitive namespaces
Restricted is the most secure profile, but Baseline is often the practical stepping stone for many existing workloads.
Use It Well
Practice and Real-World Thinking
Namespace hardening
Set different security levels for dev, shared, and critical namespaces.
Migration planning
Use warn and audit to discover what would break before enforcing.
Security review
Combine PSA with container security context design for better results.