Pod Security Standards: Three Tiers and Where Each Fits

PSS replaces PSP with three tiers: privileged, baseline, restricted. The right tier per workload class.

Privileged

Full access. System-level workloads only (CSI drivers, network plugins).

Locked to specific namespaces. The escape valve, not the default.

Baseline

Reasonable defaults. Most application workloads fit.

Allows common patterns; blocks the egregious ones (host network, privileged containers).

Restricted

Hardened. Zero-trust workloads. New workloads should target this.

Blocks more than baseline. Some apps need adjustment to fit.