Kubernetes PSS (Restricted Profile)
Enforcement Level: Restricted | Scope: Workload Isolation | K8s Ver: v1.24+
Scope of Responsibility (Image vs. Runtime)
The Kubernetes Pod Security Standards (PSS) evaluate workload isolation.
This audit verifies the static posture of the container image (e.g., verifying it does not require root, lacks setuid binaries, and drops capabilities natively). However, full PSS enforcement occurs at the Kubernetes Admission Controller. Operators must still explicitly declare the required securityContext parameters (like allowPrivilegeEscalation: false and runAsNonRoot: true) in their deployment manifests to successfully schedule this image.
Admission Controller Readiness
-
Policy Status ---
READY
Image is Restricted-Capable -
Rules Satisfied --- 17 / 17
Baseline + Restricted Policies
-
Blocking Violations ---
0
Requires Image Rebuild
Deployment Greenlight
This image is architecturally designed to satisfy the Kubernetes Restricted Pod Security Standard. It can be safely scheduled in highly regulated, multi-tenant environments without requesting PSP/PSA exceptions.
Policy Enforcement Matrix
| ID | Restriction Rule | Impact Level | Static Enforcement |
|---|---|---|---|
1 |
HostProcess | HIGH | |
2 |
Host Namespaces | HIGH | |
3 |
Privileged Containers | HIGH | |
4 |
Capabilities | MEDIUM | |
5 |
HostPath Volumes | MEDIUM | |
6 |
host ports | HIGH | |
7 |
AppArmor | HIGH | |
8 |
SELinux | MEDIUM | |
9 |
/proc Mount Type | MEDIUM | |
10 |
Seccomp | MEDIUM | |
11 |
Sysctls | MEDIUM | |
12 |
Volume Types | LOW | |
13 |
Privilege Escalation | MEDIUM | |
14 |
Running as Non-root | MEDIUM | |
15 |
Running as Non-root user | LOW | |
16 |
Seccomp | LOW | |
17 |
Capabilities | LOW |
Why This Matters?
The Restricted Profile is the most stringent level of Kubernetes Pod security. Achieving image-level compliance here guarantees that your container:
- Is Invisible to the Host: Does not demand Host PID, IPC, or Network namespaces to function.
- Operates with Zero Privilege: Runs efficiently as a non-root user (
USER openssl) and functions with all default Linux Capabilities dropped (ALL). - Is Sandbox-Ready: Fully compatible with the
RuntimeDefaultseccomp profile to restrict the syscall attack surface.
For details on how operational duties are divided between Image Builders and Cluster Administrators, see the Cloud Native Shared Responsibility Model.