LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.

Start free trial Sign in

From the course: Kubernetes and Cloud Native Security Associate (KCSA) Cert Prep

Pod security standards

From the course: Kubernetes and Cloud Native Security Associate (KCSA) Cert Prep

Start my 1-month free trial Buy for my team

Pod security standards

“

In this section, we're going to be talking specifically about Kubernetes security implementations in-house. And what I mean is out of the box, what can you get? And we're going to talk about a few things that are out of the box as well. But this is going to be primarily around not only pod security, but out-of-the-box security that you can implement. Now, when I say out-of-the-box security, I don't mean it's turned on by default, I mean it's available by default. Okay. So let's start out with pod security standards. And pod security standards define three different policies to broadly cover the security spectrum. And these policies are cumulative and range from highly permissive to highly restrictive, okay? So privileged is unrestricted policy. It provides the widest possible level of permissions. And this policy allows for known privilege escalations. Baseline is minimally restrictive policy which prevents known privilege escalations. It allows the default minimally specified pod configuration. And then restricted is a heavily restricted policy. It follows current pod hardening best practices, and the privilege policy is purposely open and entirely unrestricted. Now, the baseline policy is aimed at ease of adoption for common containerized workloads, while preventing known privilege escalations and the restricted policy is aimed at enforcing current pod hardening practices at the expense of some compatibility. Okay. So you're going to be able to set these security standards based on how you want pod to interact in your environment. And of course, it's not only going to be based on the environment itself, but it's also going to be based on what the pods are doing, okay? So just as an example here, if you have a dev image that's deployed in Kubernetes and you're just kind of testing to see how it works, yeah, you probably don't have to harden that all that much because it's going to be iterated a million times. And then at the end, you're going to be able to actually set those pod security standards.

Contents