CKS Notes – Pod Security

This content originally appeared on DEV Community and was authored by Cheedge Lee

For Pod Security, there are basically two layers/types:

• Pod security settings for each pod

• namespace labels for Pod Security Admission (PSA)

Layer A: Pod security settings

Defined in:

spec.containers[*].securityContext
spec.securityContext

This is container-specific + pod-wide security.

It sets the runtime security for a container.

Examples:

• runAsNonRoot

• runAsUser

• allowPrivilegeEscalation

• readOnlyRootFilesystem

• capabilities

• seccompProfile

• privileged

• fsGroup

Layer B — Namespace-level Pod Security Admission (PSA)

Defined using labels:

pod-security.kubernetes.io/enforce: restricted|baseline|privileged

This sets global rules for all pods in the namespace before creation.

• restricted : strongest security, disallow most risky features

• baseline : medium security

• privileged : allow almost anything

work together

• PSA (namespace label) is the policy gate

• Pod securityContext is the actual behavior inside the pod

Even if the pod sets something insecure, PSA can block it.

Best practice harden rules

Here are the some pod hardening rules for best practice:

0. Namespace

restricted

1. Run as non-root

runAsNonRoot: true
runAsUser: 1000

Avoid privileged UID 0.

2. Disallow privilege escalation

allowPrivilegeEscalation: false

Stops processes from gaining higher privileges (e.g., via setuid binaries).

3. Drop unnecessary Linux capabilities

capabilities:
  drop: ["ALL"]

Add only what you need.

4. Use a read-only root filesystem

readOnlyRootFilesystem: true

Prevents writes to /, reduces persistence and attacks.

5. Use seccomp (system call filtering)

seccompProfile:
  type: RuntimeDefault

Prevents dangerous syscalls.

6. Avoid privileged containers

privileged: false

Never run privileged unless absolutely needed.

7. Use AppArmor (if available)

annotations:
  container.apparmor.security.beta.kubernetes.io/nginx: runtime/default

8. Restrict host access

Avoid these unless needed:

• hostNetwork

• hostPID

• hostIPC

• hostPath volumes

Reference

Official doc:

• Pod Security Standards

• Pod Security Admission

• Enforce Pod Security Standards by Configuring the Built-in Admission Controller

• Enforce Pod Security Standards with Namespace Labels

This content originally appeared on DEV Community and was authored by Cheedge Lee