Kubernetes Pod Security Standards (Privileged / Baseline / Restricted)
Kubernetes-native policy tiers replacing PodSecurityPolicy. EchelonGraph scores against the live Pod inventory + securityContext attributes captured by the Tier 3 watcher to verify which Pods meet Baseline vs Restricted profiles.
Privileged (unrestricted)
Unrestricted policy — should not be applied to production workloads. EchelonGraph flags Privileged-tier namespaces as low-severity informational so you can plan migration to Baseline / Restricted.
Baseline (minimally restrictive)
Prevents known privilege escalations: no privileged, no hostNetwork, no hostPID, no hostIPC. EchelonGraph aggregates Pod posture flags (priv_count, host_network, host_pid) to verify cluster-wide Baseline compliance.
Restricted (heavily restricted)
Requires runAsNonRoot, drops ALL capabilities, restricts volume types, requires seccomp RuntimeDefault. EchelonGraph evaluates restricted-tier compliance via runasnonroot_count + automount_sa_token + container security flags.
Audit mode for graduated rollout
PSS audit mode records violations without enforcing; useful for migration assessment.
Warn mode for developer feedback
PSS warn mode surfaces violations to kubectl users at apply time.
runAsNonRoot required
Restricted level requires runAsNonRoot: true on all containers.
seccompProfile required
Restricted level requires seccompProfile of RuntimeDefault or Localhost on every container.
Drop ALL capabilities
Restricted level requires capabilities.drop:[ALL]; only NET_BIND_SERVICE may be added.
Volume types restricted
Restricted level allows only: configMap, downwardAPI, emptyDir, projected, secret, csi, persistentVolumeClaim, ephemeral.
allowPrivilegeEscalation false
Restricted level requires allowPrivilegeEscalation:false on every container.