generated from coulomb/repo-seed
1.3 KiB
1.3 KiB
Pattern: Pod Security Baseline/Restricted
Status: seed Readiness target: RL3 production Primary owners: Railiance platform, product repos Genesis family: Kubernetes and platform
Problem
Workloads can gain host, network, filesystem, or privilege escalation capabilities that are unnecessary and dangerous in production.
Context
Use this pattern for Kubernetes workloads, tenant namespaces, platform services, controllers, and admission policies.
Forces
- Some platform components need elevated privileges.
- Most product workloads should run with restricted settings.
- Exceptions must not become broad namespace bypasses.
- Developers need clear guidance for safe pod specs.
Solution
Apply Kubernetes Pod Security baseline or restricted profiles with admission enforcement, explicit exceptions, and tests for privileged features such as host networking, hostPath, root users, and privilege escalation.
Verification
- Non-exempt workloads run as non-root and cannot escalate privileges.
- hostPath, host networking, and privileged mode are rejected by default.
- Exceptions are scoped, owned, and time bounded.
- Policy tests cover representative manifests.
Related Patterns
- Secure Cluster Baseline.
- Policy-as-Code Admission Control.
- Namespace-per-Tenant.
- Network Default Deny.