CLoudOps Now!

,

How to Implement Pod Security Standards in Kubernetes 1.25+

Posted by

Mohammad Gufran Jahangir

🔐 How to Implement Pod Security Standards in Kubernetes 1.25+

A Complete Guide to Strengthen Your Cluster’s Pod-Level Security

Kubernetes makes it easy to run applications at scale — but securing those apps? That’s a different story.

Starting from Kubernetes v1.25, the legacy PodSecurityPolicy (PSP) has been removed, and replaced by Pod Security Standards (PSS) — a simpler, namespaced-based way to control what Pods can and cannot do.

In this blog, we’ll explore what PSS is, why it matters, and step-by-step how to implement it — from beginner to production-grade setups.

🔎 What Are Pod Security Standards (PSS)?

PSS define a set of recommended security profiles for Pods, categorized into three levels:

LevelDescription
PrivilegedNo restrictions (least secure) — full access to host capabilities
BaselineMinimally restrictive — prevents known escalations and risky settings
RestrictedHighly secure — follows “least privilege” best practices (default for production)

These levels apply to Pod specifications like:

  • Running as root
  • Host networking/IPC
  • Privileged containers
  • Volume types (hostPath, etc.)
  • Capabilities like NET_ADMIN

🧭 Step 1: Understand the Enforcement Modes

PSS is enforced per namespace using labels and admission control.

Three enforcement modes:

ModeBehavior
enforceBlocks pod creation if it violates rules
auditLogs violations but doesn’t block
warnShows client-side warning but allows pod creation

You can use one or all three modes simultaneously.

⚙️ Step 2: Enable Pod Security Admission (PSA) in Kubernetes

As of v1.25+, the PodSecurity admission controller is built-in and enabled by default.
No need to install anything — it’s ready to use.

📁 The controller works by applying labels to namespaces.

🛠️ Step 3: Label Your Namespaces

Use the following label format:

php-templateCopyEditpod-security.kubernetes.io/<mode>: <level>

Example:

bashCopyEditkubectl label ns dev \
  pod-security.kubernetes.io/enforce=baseline \
  pod-security.kubernetes.io/enforce-version=latest \
  pod-security.kubernetes.io/audit=restricted \
  pod-security.kubernetes.io/warn=restricted

This setup:

  • Blocks pods violating baseline rules
  • Audits and warns on anything violating restricted rules

📌 Pro Tip:

Use "latest" or pin to a version:

bashCopyEditpod-security.kubernetes.io/enforce-version=latest

🔍 Step 4: Test It (Create Violating Pod)

Try creating an insecure pod:

yamlCopyEditapiVersion: v1
kind: Pod
metadata:
  name: test-root
spec:
  containers:
  - name: root
    image: busybox
    command: ["sh", "-c", "sleep 3600"]
    securityContext:
      runAsUser: 0

This should be:

  • Blocked under enforce=restricted
  • Warned under warn=restricted

🧪 Step 5: View Violations (Audit Logs)

Check events or audit logs:

bashCopyEditkubectl get events --namespace dev

Look for warnings like:

pgsqlCopyEditpod-security.kubernetes.io/warn: violates restricted policy

These help you gradually harden your policies without breaking apps.

🧩 Step 6: Apply Policies Based on Environments

EnvironmentPolicy Recommendation
devenforce=baseline, audit=restricted
stagingenforce=baseline, warn=restricted
productionenforce=restricted, audit=restricted

Define policy strictness based on risk tolerance.

📊 Step 7: Visualize Violations (Optional Tools)

Use tools to analyze and audit Pod specs for security compliance:

  • OPA/Gatekeeper — custom policies with Rego
  • Kyverno — policy as code with Kubernetes-native syntax
  • kubectl-who-can — understand RBAC access
  • Trivy — scan pods for CVEs and misconfigs

🧠 Advanced Practices

✅ Default Labels via Admission Webhooks

Use automation tools (like Kyverno or OPA) to automatically apply PSS labels to every new namespace.

✅ Policy Drift Detection

Set up GitOps (e.g., ArgoCD) to prevent unauthorized label changes.

✅ Combine with Runtime Security

PSS protects before deployment. Pair it with tools like Falco or Sysdig for runtime detection.

🧰 Tools Recap

ToolPurpose
PSA (built-in)Native enforcement
KyvernoCustom policies, namespace auto-labeling
Gatekeeper (OPA)Custom admission rules
TrivyImage & manifest scanning
FalcoRuntime security alerting

🚀 Final Thoughts

With Pod Security Policies gone in K8s 1.25+, PSS and PSA are the new standard — and honestly, they’re simpler and more flexible.

To summarize:

ActionDescription
Learn PSS levelsUnderstand privileged, baseline, restricted
Label your namespacesUse pod-security.kubernetes.io/* labels
Audit and warn before enforcingAvoid breaking workloads
Use tools for policy automationKyverno, Trivy, Gatekeeper
Treat PSS as part of shift-left securitySecurity begins at deployment time

Lock down your pods, namespace by namespace — because in cloud-native, security isn’t optional.

,

Mohammad Gufran Jahangir

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags

Ansible interview questions that are commonly asked in interviews Apache Spark Azure Azure Databricks Azure SQL Database AZURE SQL SERVER Certification Manual: DevOps Foundation Certification Condition module executations in Ansible Playbook Databricks Data Skew Deadlock Detected DevOps DevOpsSchool Examples for Terraform Variables Git How to Analyze logs using logs in an Azure storage account How to push/pull and clone files between Local machine and GitHub Kubernetes lakehouse Management Group and Subscription Microsoft Fabric MotoShare Rajesh Kumar Snowflake Stash terraform Timeout Errors in Streaming Jobs Unity Catalog What is SQL Server Statistics and how to Collect/Update Statistics in SQL Server Database What tools and technologies are essential for effective CloudOps?

0
Would love your thoughts, please comment.x
()
x