Restricted Pod Security Standards Namespace
A namespace configured with the Restricted Pod Security Standard, the most secure PSS level that blocks privileged pods, host access, and root execution.
Overview
This template creates a Kubernetes namespace with Pod Security Standards (PSS) Restricted level enforcement. PSS Restricted is the most secure built-in policy level, blocking pods that run as root, use host networking, mount host paths, or have dangerous capabilities.
Security threat addressed: Without PSS enforcement, any user with deployment permissions can create privileged containers that have full access to the host node, bypassing all container isolation.
When to use: Apply to every production namespace. Use the baseline level for development namespaces where some restrictions need to be relaxed.
Threat Model
- Container escape prevention: Restricted PSS blocks the most common container escape vectors: privileged mode, host namespaces, and dangerous capabilities.
- Root execution prevention: Enforces
runAsNonRoot, so even if an attacker gains code execution, they operate as a non-root user both inside the container and on the host. - Host isolation enforcement: Blocks
hostNetwork,hostPID, andhostIPCwhich would give containers direct access to node-level resources.
MITRE ATT&CK:
- T1611 — Escape to Host: PSS Restricted prevents the most common container-to-host escape techniques.
Real-world scenario: A developer accidentally deploys a container with privileged: true in production. PSS Restricted rejects the pod at admission time, preventing a potential full-host compromise.
YAML Source
apiVersion: v1
kind: Namespace
metadata:
name: secure-app-namespace
labels:
# POD SECURITY STANDARDS (PSS) - RESTRICTED MODE
# 'restricted': The most secure mode. Blocks pods that run as root, use host networking,
# or have dangerous capabilities. Best for production applications.
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.28
# 'warn': Does not block, but logs a warning if a pod violates the policy.
# Useful for testing before enforcing.
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.28
app.kubernetes.io/name: k8s-security
app.kubernetes.io/part-of: k8s-security-pro
app.kubernetes.io/managed-by: k8s-security-pro
# PRO TIP:
# Always try to use the 'restricted' standard. If your app fails to start, check the
# events (kubectl get events) to see why, and try to fix the app rather than
# lowering the security standard to 'baseline'.Installation
kubectl:
kubectl apply -f 02_restricted_pss_namespace.yamlHelm:
helm install k8s-security ./charts/k8s-security -f values-prod.yamlKustomize:
kubectl apply -k kustomize/overlays/prodVerification
# Check namespace labels for PSS enforcement
kubectl get namespace secure-app-namespace -o jsonpath='{.metadata.labels}' | jq .
# Verify enforcement level is 'restricted'
kubectl get namespace secure-app-namespace -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}'
# Test enforcement by trying to create a privileged pod (should be rejected)
kubectl run test-privileged --image=nginx --restart=Never -n secure-app-namespace --overrides='{"spec":{"containers":[{"name":"test","image":"nginx","securityContext":{"privileged":true}}]}}'
# Check events for PSS violations
kubectl get events -n secure-app-namespace --field-selector reason=FailedCreateCIS Benchmark References
- 5.2.2 — Minimize the admission of privileged containers. PSS Restricted automatically enforces this.
- 5.2.7 — Minimize the admission of root containers. PSS Restricted requires
runAsNonRoot: true.
MITRE ATT&CK References
- T1611 — Escape to Host: Without PSS, privileged and host-mounted pods can be created by any user with deployment permissions. PSS Restricted blocks all known container escape vectors at the namespace level.
Further Reading
- Kubernetes Pod Security Standards: From PSP to PSS Migration Guide — Complete guide to PSS levels, namespace enforcement, migration from PodSecurityPolicy, and real-world gotchas.