Pod security standard

Limited vCluster Tenancy Configuration Support

This feature is only available when using the following worker node types:

Host Nodes

note

This feature is disabled by default.

Pod security standards prevent Pods from starting if they request permissions beyond what's allowed. These standards check settings like spec.securityContext, host ports, volume types, and AppArmor annotations.

Enable this feature to block privileged Pods from escaping the virtual cluster.

policies:
  podSecurityStandard: <policy_profile>

• Replace <policy_profile> with privileged, baseline, or restricted.

See the Kubernetes Pod Security profile details for more information.

Config reference

podSecurityStandard required string

PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged