Pod Security Standards and Security Contexts

Most Pods running in Kubernetes clusters today have more privileges than they need. A container with privileged: true has unrestricted access to the host node. A container running as root can modify its own filesystem, escalate privileges through setuid binaries, and interact with kernel interfaces it has no business touching. The gap between "it works" and "it's locked down" is where attackers operate.

Kubernetes addressed this with two complementary mechanisms. Pod Security Standards (PSS) define three profiles: Privileged, Baseline, and Restricted, each representing a progressively tighter set of constraints on what a Pod can do. The built-in Pod Security Admission (PSA) controller enforces those profiles at the namespace level, replacing the deprecated PodSecurityPolicy (removed in v1.25) with zero external dependencies. And at the container level, security contexts give you field-by-field control over privileges, capabilities, filesystem access, and user identity.