For Pod Security, there are basically two layers/types:
Pod security settings for each pod
namespace labels for Pod Security Admission (PSA)
Layer A: Pod security settings
Defined in:
spec.containers[*].securityContext
spec.securityContext
This is container-specific + pod-wide security.
It sets the runtime security for a container.
Examples:
runAsNonRootrunAsUserallowPrivilegeEscalationreadOnlyRootFilesystemcapabilitiesseccompProfileprivilegedfsGroup
Layer B — Namespace-level Pod Security Admission (PSA)
Defined using labels:
pod-security.kubernetes.io/enforce: restricted|baseline|privileged
This sets global rules for all pods in the namespace before creation.
restricted: strongest security, disallow most risky featuresbaseline: medium securityprivileged: allow almost anything
work together
PSA (namespace label) is the policy gate
Pod securityContext is the actual behavior inside the pod
Even if the pod sets something insecure, PSA can block it.
Best practice harden rules
Here are the some pod hardening rules for best practice:
0. Namespace
restricted
1. Run as non-root
runAsNonRoot: true
runAsUser: 1000
Avoid privileged UID 0.
2. Disallow privilege escalation
allowPrivilegeEscalation: false
Stops processes from gaining higher privileges (e.g., via setuid binaries).
3. Drop unnecessary Linux capabilities
capabilities:
drop: ["ALL"]
Add only what you need.
4. Use a read-only root filesystem
readOnlyRootFilesystem: true
Prevents writes to /, reduces persistence and attacks.
5. Use seccomp (system call filtering)
seccompProfile:
type: RuntimeDefault
Prevents dangerous syscalls.
6. Avoid privileged containers
privileged: false
Never run privileged unless absolutely needed.
7. Use AppArmor (if available)
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
8. Restrict host access
Avoid these unless needed:
hostNetworkhostPIDhostIPChostPathvolumes
Reference
Official doc:
Top comments (0)