DevOps Dictionary

Kubernetes Pod Security Standards (PSS) are Kubernetes-defined security levels that describe which pod behaviors are acceptable, such as whether containers can run as root, request privileged access, use host networking, or mount sensitive host paths. They address the common problem of inconsistent pod specs and “works on my cluster” defaults that can unintentionally grant powerful permissions and expand the blast radius of a compromised workload. PSS works by grouping rules into three profiles (Privileged, Baseline, Restricted) and applying them at the namespace level through the Pod Security admission controller, which evaluates pod manifests at creation or update time and can enforce, warn, or audit violations before the pod runs.

With Kubernetes Pod Security Standards (PSS), teams get predictable guardrails and fewer risky exceptions reaching production; without it, security depends on manual review and convention, increasing the chance that an overly permissive pod slips through. This gap exists because Kubernetes is flexible by default, so policy must be enforced at admission time to be reliable.