Implementing Kubernetes Pod Security Standards Without Breaking Production
Implementing Kubernetes Pod Security Standards Without Breaking Production Most Pod Security Standards rollouts fail for a simple reason: teams jump straight to restricted without measuring what their workloads actually do. This guide shows how to move from audit to enforce with namespace labels , compliant pod specs, and clear exception boundaries. TL;DR Kubernetes Pod Security Standards are effective only when you treat them as an incremental enforcement program rather than a single label change. The modern path is Pod Security Admission, which became stable in Kubernetes v1.25 after PodSecurityPolicy was removed. A production rollout should start with warn and audit , pin policy versions, and then enforce baseline or restricted per namespace. The practical work is in fixing pod specs: run as non-root, drop Linux capabilities, disable privilege escalation , and set seccomp explicitly so application teams can pass admission without last-minute outages. Pod Security Standar...