Skip to main content
Version: main 🚧

Pod security standard

This is disabled by default.

Pod security standards control pre-built validation of a Pod's capabilities. The security standards don't necessarily grant permissions to a Pod, but rather prevent a Pod from being created that requests more permissions than the standard. Typically this is done through the pods's spec.securityContext but can also cover things like host ports, volume types, and special annotations used for Linux AppArmor profiles.

Configure this feature to prevent priviledged pods breaking out of the virtual cluster.

policies:
podSecurityStandard: POLICY_PROFILE

Replace POLICY_PROFILE with Privileged, Baseline, or Restricted. See the Kubernetes docs for profile details.

Config reference​

podSecurityStandard required string pro​

PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged