pinkpixel-dev/implementing-kubernetes-pod-security-standards
SKILLS/implementing-kubernetes-pod-security-standards/SKILL.md
Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-kubernetes-pod-security-standardsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 29, 2026, 4:18 AM70.8s7 files scanned
SKILL.md
- name:
- implementing-kubernetes-pod-security-standards
- description:
- Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS
- domain:
- cybersecurity
- subdomain:
- container-security
- tags:
- [containers, kubernetes, security, pod-security, PSA]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Kubernetes Pod Security Standards
Overview
Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PSA replaces the deprecated PodSecurityPolicy and provides namespace-level enforcement with three modes: enforce, audit, and warn.
When to Use
- When deploying or configuring implementing kubernetes pod security standards capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Kubernetes cluster 1.25+ (PSA GA)
- kubectl configured with cluster-admin access
- Understanding of Linux capabilities and security contexts
Core Concepts
Three Security Profiles
| Profile | Purpose | Restrictions | |---------|---------|-------------| | Privileged | Unrestricted, system workloads | None | | Baseline | Prevents known escalations | No hostNetwork, hostPID, hostIPC, privileged containers, dangerous capabilities | | Restricted | Hardened best practices | Non-root, drop ALL caps, seccomp required, read-only rootfs recommended |
Three Enforcement Modes
| Mode | Behavior | |------|----------| | enforce | Rejects pods that violate the policy | | audit | Logs violations in audit log but allows pod | | warn | Returns warning to user but allows pod |
Workflow
Step 1: Label Namespaces for PSA
# Restricted namespace - production workloads
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
# Baseline namespace - general workloads
apiVersion: v1
kind: Namespace
metadata:
name: staging
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
# Privileged namespace - system components only
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
Step 2: Apply Labels to Existing Namespaces
# Apply restricted enforcement to production
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=restricted \
--overwrite
# Apply baseline to staging with restricted warnings
kubectl label namespace staging \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=restricted \
--overwrite
# Check labels on all namespaces
kubectl get namespaces -L pod-security.kubernetes.io/enforce
Step 3: Create Compliant Pod Specs
# Restricted-compliant deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myregistry.com/myapp:v1.0.0@sha256:abc123
ports:
- containerPort: 8080
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 65534
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
volumeMounts:
- name: tmp
mountPath: /tmp
- name: cache
mountPath: /var/cache
volumes:
- name: tmp
emptyDir:
sizeLimit: 100Mi
- name: cache
emptyDir:
sizeLimit: 50Mi
Step 4: Gradual Migration Strategy
# Phase 1: Audit mode - discover violations without blocking
kubectl label namespace my-namespace \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=restricted
# Check audit logs for violations
kubectl logs -n kube-system -l component=kube-apiserver | grep "pod-security"
# Phase 2: Enforce baseline, warn on restricted
kubectl label namespace my-namespace \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/warn=restricted \
--overwrite
# Phase 3: Full restricted enforcement
kubectl label namespace my-namespace \
pod-security.kubernetes.io/enforce=restricted \
--overwrite
Step 5: Dry-Run Enforcement Testing
# Test what would happen with restricted enforcement
kubectl label --dry-run=server --overwrite namespace my-namespace \
pod-security.kubernetes.io/enforce=restricted
# Example output:
# Warning: existing pods in namespace "my-namespace" violate the new
# PodSecurity enforce level "restricted:latest"
# Warning: nginx-xxx: allowPrivilegeEscalation != false,
# unrestricted capabilities, runAsNonRoot != true, seccompProfile
Baseline Profile Restrictions
| Control | Restricted | Requirement | |---------|-----------|-------------| | HostProcess | Must not set | Pods cannot use Windows HostProcess | | Host Namespaces | Must not set | No hostNetwork, hostPID, hostIPC | | Privileged | Must not set | No privileged: true | | Capabilities | Baseline list only | Only NET_BIND_SERVICE, drop ALL for restricted | | HostPath Volumes | Must not use | No hostPath volume mounts | | Host Ports | Must not use | No hostPort in container spec | | AppArmor | Default/runtime | Cannot set to unconfined | | SELinux | Limited types | Only container_t, container_init_t, container_kvm_t | | /proc Mount Type | Default only | Must use Default proc mount | | Seccomp | RuntimeDefault or Localhost | Must specify seccomp profile (restricted) | | Sysctls | Safe set only | Limited to safe sysctls |
Validation Commands
# Verify namespace labels
kubectl get ns --show-labels | grep pod-security
# Test pod creation against policy
kubectl run test-pod --image=nginx --namespace=production --dry-run=server
# Check for violations in audit logs
kubectl get events --field-selector reason=FailedCreate -A
# Scan with Kubescape for PSS compliance
kubescape scan framework nsa --namespace production
References
- Pod Security Standards - Kubernetes
- Pod Security Admission - Kubernetes
- Migrate from PodSecurityPolicy
- Kubescape PSS Scanner
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026