Kubernetes PSS (Restricted Profile) - Distroless
Enforcement Level: Restricted | Scope: Production Hardening | K8s Ver: v1.24+
The Distroless Advantage
The Distroless variant is engineered for the highest level of Kubernetes security. By removing the shell and all unnecessary OS utilities, it natively satisfies many PSS "Restricted" requirements that typical images struggle with. Review the Shared Responsibility Model
Admission Controller Readiness
-
Policy Status --- READY
Seamless Production Scheduling- Rules Verified
17 / 17
Baseline + Restricted Policies
-
Blocking Violations --- 0 Policy Violations Found
Zero-Exception Deployment
This image is 100% compliant with the Kubernetes Restricted Pod Security Standard. It can be deployed into hardened namespaces with the strictest admission webhooks enabled.
Policy Enforcement Matrix
| ID | Restriction Rule | Severity | Static Audit |
|---|---|---|---|
1 |
HostProcess | HIGH | |
2 |
Host Namespaces | HIGH | |
3 |
Privileged Containers | HIGH | |
4 |
Capabilities | MEDIUM | |
5 |
HostPath Volumes | MEDIUM | |
6 |
host ports | HIGH | |
7 |
AppArmor | HIGH | |
8 |
SELinux | MEDIUM | |
9 |
/proc Mount Type | MEDIUM | |
10 |
Seccomp | MEDIUM | |
11 |
Sysctls | MEDIUM | |
12 |
Volume Types | LOW | |
13 |
Privilege Escalation | MEDIUM | |
14 |
Running as Non-root | MEDIUM | |
15 |
Running as Non-root user | LOW | |
16 |
Seccomp | LOW | |
17 |
Capabilities | LOW |
Why Distroless + Restricted PSS?
Combining Distroless with the Restricted PSS Profile provides the "Gold Standard" of cloud security:
- No Shell/Utilities: Automatically complies with the rule against unnecessary binaries that could aid in container escape.
- Explicit Non-Root: The image is built to run as a non-privileged user, ensuring compatibility with
runAsNonRoot: true. - Minimal Attack Surface: Reduces the number of syscalls an attacker can attempt, perfectly complementing the
RuntimeDefaultseccomp policy.