Kubernetes security hardening is the practice of systematically reducing the attack surface of containerized workloads and cluster infrastructure by applying layered controls β from pod-level security contexts up to control plane configuration and supply chain integrity. The introduction of Pod Security Standards (PSS) and the Pod Security Admission (PSA) controller in Kubernetes v1.25 replaced the deprecated PodSecurityPolicy, giving operators a built-in, namespace-scoped enforcement framework with three well-defined profiles. The key mental model is defense-in-depth: no single control is sufficient; effective cluster security combines pod restrictions, RBAC, network policy, audit logging, runtime detection, and ongoing CVE response into overlapping layers.
What This Cheat Sheet Covers
This topic spans 16 focused tables and 101 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Pod Security Standards β Three Profiles
Pod Security Standards define three cumulative security profiles that range from fully permissive to highly restrictive. Every Kubernetes cluster has a built-in implementation through the Pod Security Admission controller, making these the foundational building block of workload security.
| Profile | Example | Description |
|---|---|---|
pod-security.kubernetes.io/enforce: privileged | β’ Entirely unrestricted policy β’ allows all privilege escalation paths β’ Intended only for trusted system- and infrastructure-level workloads (e.g., CNI plugins, node agents). | |
pod-security.kubernetes.io/enforce: baseline | β’ Minimally restrictive β’ prevents known privilege escalation vectors (host namespaces, privileged containers, dangerous capabilities, HostPath volumes, unsafe sysctls) while allowing default pod configurations for most application workloads |