Pod Security Standards: enforce restricted without breakage
Roll out the restricted profile namespace by namespace, find violators with audit mode first, and carve exceptions that expire.
PodSecurityPolicy is gone. Its replacement, Pod Security Admission, is built into the API server and enforces the three Pod Security Standards — privileged, baseline, and restricted — with a single label per namespace. The trick isn't turning it on; it's turning it on without breaking every workload that was quietly running as root.
Here's what enforcement looks like from the caller's side — a pod that violates restricted is refused at admission, before a single container starts:
kubectl apply -f pod.yaml -n paymentsnamespace payments: pod-security.kubernetes.io/enforce=restricted Error from server (Forbidden): error when creating "pod.yaml":pods "api" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "api") runAsNonRoot != true (pod or container "api") seccompProfile type unset (pod or container "api") fix the securityContext and re-apply — nothing was scheduledThree profiles, one decision
baseline blocks the obviously dangerous — host namespaces, privileged containers, hostPath volumes. restricted goes further: non-root, no privilege escalation, a seccomp profile, and dropped capabilities. Most teams should target restricted for application namespaces and reserve baseline for the few workloads that genuinely need more.
Start in audit mode
Never jump straight to enforce. Label the namespace with audit and warn first — the API server records violations to the audit log and returns a warning to kubectl, but still admits the pod. You get a complete list of what would break with zero downtime.
apiVersion: v1kind: Namespacemetadata:name: paymentslabels:# observe only — nothing is blocked yetpod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/warn: restricted
Deploy as usual for a sprint, then harvest the violations straight from the audit log and fix each workload's securityContext.
# pull restricted violations out of the audit loggrep 'pod-security.kubernetes.io/audit-violations' audit.log \| jq -r '.objectRef.namespace + "/" + .objectRef.name'
Promote to enforce
Once the warnings are quiet, flip enforce on. Keep warn and audit pinned to latest so you catch regressions when a new Kubernetes release tightens the standard.
labels:pod-security.kubernetes.io/enforce: restrictedpod-security.kubernetes.io/enforce-version: latestpod-security.kubernetes.io/warn: restricted
Where this goes next
PSA enforces pod-level posture but can't express org policy like 'images must come from our registry' or 'every pod needs a cost-center label'. That's where Kyverno or OPA Gatekeeper pick up. Pair PSA for the baseline with a policy engine for the rules that are specific to you.
Go deeper in a courseKubernetes administrationRBAC, admission control, and cluster hardening in depth.View course