Pod Security Standards

DavidGardiner | May 8, 2023 min read




Pod Security Standards

The Kubernetes Pod Security Standards define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion.

Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.

# Privileged
Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.

# Baseline
Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.

# Restricted
Heavily restricted policy, following current Pod hardening best practices

# enforce
Policy violations will cause the pod to be rejected.

# audit
Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed.

# warn
Policy violations will trigger a user-facing warning, but are otherwise allowed.

# The per-mode level label indicates which policy level to apply for the mode.
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.

pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.26).
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.

pod-security.kubernetes.io/<MODE>-version: <VERSION>

Setting labels will allow you to enforce security pod policies that are also controlled via am18 (azurepolicy)

labels enforce=baseline and enforce=resticted

I would advise using restricted where possible and baseline as standard.

for production its recommended using audit for a week or more to check for any effected workloads

labels audit=baseline and audit=resticted

For detailed restrictions please see: pod-security-standards

Example usage:
# Ensure to check warnings before enforcing this policy

k label ns < namespace > pod-security.kubernetes.io/warn=baseline
k label ns < namespace > pod-security.kubernetes.io/warn=restricted

# We advise you to send logs to audit and monitor to check if anything is being blocked.

k label ns < namespace > pod-security.kubernetes.io/audit=baseline
k label ns < namespace > pod-security.kubernetes.io/audit=restricted

# After you have remediated any warnings you can enforce settings.

k label ns < namespace > pod-security.kubernetes.io/enforce=baseline
k label ns < namespace > pod-security.kubernetes.io/enforce=restricted

# Apply using script

# Get a list of all namespaces in the cluster
namespaces=$(kubectl get namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\\n"}{end}')

# Apply the label to each namespace
for namespace in $namespaces
  kubectl label namespace $namespace pod-security.kubernetes.io/enforce=baseline