What Are Pod Security Standards?

Pod Security Standards are a set of security profiles defined by the Kubernetes project establishing three pod security levels: Privileged, which is unrestricted; Baseline, which prevents known privilege escalations while being easy to adopt; and Restricted, which follows current pod hardening best practices. These standards are enforced through Kubernetes Pod Security Admission or third-party tools like OPA Gatekeeper and Kyverno.

Why Pod Security Standards Matter

By default, Kubernetes allows pods to run with broad privileges, including running as root, accessing the host network, and mounting sensitive host paths. These defaults create significant security risks. Pod Security Standards provide a clear, graduated framework for restricting pod capabilities. Enforcing them prevents common attack vectors like container escape, privilege escalation, and unauthorized host access.

Teams that understand and adopt pod security standards gain a significant operational advantage, reducing manual effort and improving the reliability and scalability of their infrastructure. As cloud-native adoption accelerates, familiarity with pod security standards has become a core competency for DevOps engineers, platform teams, and site reliability engineers working in production Kubernetes and cloud environments.

How Pod Security Standards Work

Pod Security Admission, built into Kubernetes since version 1.25, evaluates pod specifications against the selected security level when pods are created. You apply a security level to each namespace using labels. Pods that violate the rules are either warned, audited, or rejected depending on the enforcement mode. The three levels provide a progressive path from no restrictions to full hardening, allowing teams to adopt security incrementally.

Understanding how pod security standards fits into the broader cloud-native ecosystem is important for making informed architecture decisions. It works alongside other tools and practices in the DevOps and platform engineering space, and choosing the right combination depends on your team's specific requirements, scale, and operational maturity.

Key Features

Three Security Levels

Privileged allows everything, Baseline prevents known escalations, and Restricted enforces full pod hardening.

Namespace-Level Enforcement

Apply security levels per namespace, allowing different standards for system and application workloads.

Multiple Enforcement Modes

Enforce in warn, audit, or deny modes to gradually roll out restrictions without breaking existing workloads.

Built-In

Pod Security Admission is built into Kubernetes, requiring no additional tools for basic enforcement.

Common Use Cases

Enforcing the Restricted profile on all application namespaces to prevent pods from running as root.

Using the Baseline profile as a starting point for teams migrating from unrestricted pod configurations.

Applying Privileged only to kube-system namespace where system components require elevated access.

Running in audit mode first to identify which pods violate Restricted before switching to enforcement.

How Obsium Helps

Obsium's DevOps and security team helps organizations implement and optimize pod security standards as part of production-grade infrastructure. Whether you are adopting pod security standards for the first time or looking to improve an existing implementation, our engineers bring hands-on experience across cloud platforms and Kubernetes environments. Learn more about our DevOps and security services →