Kubernetes Pod Security: Harden Your Workloads

The Baseline profile blocks known privilege escalation vectors: no privileged containers, no hostPID/hostIPC/hostNetwork, no hostPath volumes, and no dangerous capabilities. This is suitable for most production workloads. The Restricted profile goes further: containers must run as non-root, use a read-only root filesystem, drop all capabilities, and set a seccomp profile. The Restricted profile is appropriate for untrusted workloads and multi-tenant clusters. Start with Baseline and graduate to Restricted as your application containerization matures.

Pod Security Admission (PSA) is built into Kubernetes since 1.25. Apply it by labeling namespaces: `pod-security.kubernetes.io/enforce: baseline` rejects any pod that violates the Baseline profile. Use `warn` mode first to see violations without blocking them, then switch to `enforce`. You can set different levels for different namespaces: Restricted for production, Baseline for staging, Privileged for system namespaces that run monitoring agents or CNI plugins. PSA replaces the deprecated PodSecurityPolicy (PSP) with a simpler, standards-based approach.

Set `securityContext` on every container: `runAsNonRoot: true`, `readOnlyRootFilesystem: true`, `allowPrivilegeEscalation: false`, and `capabilities: { drop: [ALL] }`. Use a specific `runAsUser` UID rather than relying on the container image default. For pods that need to write temporary files, mount an emptyDir volume at the writable path instead of making the root filesystem writable. These settings dramatically reduce the impact of a container compromise: even if an attacker gains code execution, they cannot escalate to root or access the host.

Pod Security Admission prevents insecure configurations at deployment time, but runtime threats need runtime detection. Falco monitors system calls in real time and alerts on suspicious behavior: a shell spawning inside a container, sensitive file reads (/etc/shadow), outbound connections to unexpected IPs, or binary execution that was not part of the original image. Deploy Falco as a DaemonSet with its eBPF driver for low-overhead monitoring. Route alerts to Slack, PagerDuty, or your SIEM for investigation. Falco rules can be customized to match your specific application behavior.