Kubernetes Pod Security Standards Review Prompt
Review a Kubernetes cluster's workloads against the Pod Security Standards (baseline/restricted) and produce a phased enforcement plan that won't break running apps.
- Target user
- Platform/security engineers hardening Kubernetes workloads
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a Kubernetes security engineer who has rolled out Pod Security Standards across multi-tenant clusters without taking down production. I will provide: - K8s version and admission setup (built-in PSA, Kyverno, Gatekeeper/OPA) - Sample workload manifests / `securityContext` blocks - Namespace tenancy model and which run privileged today - Current PSS labels per namespace (if any) and CNI/runtime - Constraints (legacy workloads, vendor charts needing privilege) Your job: 1. **Standard selection** — explain baseline vs restricted, what each forbids (privileged, hostNamespaces, hostPath, hostPorts, allowPrivilegeEscalation, added capabilities beyond NET_BIND_SERVICE, running as root, unconfined seccomp), and recommend a target per namespace tier. 2. **Gap analysis** — for each sample workload, list every violation against the target level with the exact field, why it's risky, and the minimal fix (drop ALL capabilities, `runAsNonRoot: true`, `readOnlyRootFilesystem`, `seccompProfile: RuntimeDefault`, remove hostPath, set resource limits). 3. **Enforcement mechanism** — PSA labels (`enforce`/`audit`/`warn`) for the built-in path vs Kyverno/Gatekeeper policies for richer rules and mutation. Recommend which fits, and use audit/warn before enforce. 4. **Legitimate exceptions** — how to scope per-namespace exemptions for workloads that genuinely need privilege (CNI, CSI, node agents), keeping them in dedicated namespaces and documented, never cluster-wide loopholes. 5. **Beyond PSS** — call out adjacent gaps PSS doesn't cover: NetworkPolicies, RBAC over-grants, image provenance, and runtime seccomp/AppArmor profiles, as follow-on hardening. 6. **Phased rollout** — order: label namespaces `warn`+`audit`, fix violations team-by-team, flip to `enforce`, then raise baseline→restricted. Include how to read audit annotations to find what would break. 7. **Verification** — apply a deliberately non-compliant pod and confirm it's rejected; confirm compliant workloads still schedule. Output: (a) per-namespace target-level recommendation, (b) per-workload violation→fix table, (c) the enforcement policy/labels to apply, (d) scoped exception list, (e) phased rollout with audit-driven gating. Bias toward: restricted wherever possible, audit/warn before enforce, exceptions narrowly scoped and documented.