Pod Security Standards in Practice

A container running as root with full capabilities is one misconfiguration away from owning the node. A single privileged: true in a pod spec grants access to every device on the host, bypasses seccomp and AppArmor, and turns container isolation into a formality. Without enforcement, these configurations slip into production through Helm defaults, copied manifests, and developer convenience.

Pod Security Standards (PSS) define three profiles that classify what a pod is allowed to do. Pod Security Admission (PSA) enforces those profiles at the namespace level through labels. PSA replaced the deprecated PodSecurityPolicies in Kubernetes 1.25. If you're running 1.25 or later, this is your enforcement mechanism.