Interview › Security & DevSecOps
What are Kubernetes Pod Security Standards (privileged, baseline, restricted)? [Advanced]
Answer
Kubernetes Pod Security Standards define three policy levels: privileged, baseline, and restricted. Privileged is highly permissive, baseline prevents known privilege escalation patterns while allowing common workloads, and restricted applies stronger hardening suitable for security-sensitive workloads.
Technical explanation
Pod Security Admission can enforce these standards at namespace level using labels for enforce, audit, and warn modes.
Baseline is often a practical minimum for general workloads.
Restricted requires controls such as non-root execution, seccomp, dropped capabilities, and no privilege escalation.
Hands-on example
Hands-on:
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
kubectl label ns prod pod-security.kubernetes.io/audit=restricted
kubectl label ns prod pod-security.kubernetes.io/warn=restricted
Then test a privileged pod and confirm the API server rejects it.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]