Restricted (heavily restricted)
Description
Requires runAsNonRoot, drops ALL capabilities, restricts volume types, requires seccomp RuntimeDefault. EchelonGraph evaluates restricted-tier compliance via runasnonroot_count + automount_sa_token + container security flags.
⚠️ Risk Impact
Restricted is the only PSS tier that meaningfully reduces container-escape blast radius. Workloads not on Restricted are an active liability for compliance audits (PCI 2.2, SOC 2 CC6.6, ISO 27001 A.8.27).
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
kubectl label ns <ns> pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/enforce-version=v1.29
🔗 Cross-Framework References
Automate Pod Security Standards PSS-Restricted compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →