EKS Pod Security Standards (PSS) Guide

With Kubernetes v1.25, Pod Security Policy (PSP) was completely removed. This caused confusion for many EKS users. Now, Pod Security Standards (PSS) and the built-in Pod Security Admission (PSA) controller are used to ensure pod security.

What is PSS?

PSS defines 3 different security levels for pods:

1. Privileged: No restrictions. Should only be used for system administrators and critical infrastructure components (CNI, CSI).
2. Baseline: Prevents known vulnerabilities (e.g., hostPort usage) but allows common applications to run.
3. Restricted: The strictest mode. Prevents pods from running as root, drops capabilities. It is the safest.

How to Implement in EKS?

To implement PSS, you just need to assign labels to Namespaces. No need to install an extra tool.

Example: Let's apply strict (restricted) security in the my-app namespace and block (enforce) pods that do not comply.

kubectl label namespace my-app pod-security.kubernetes.io/enforce=restricted
kubectl label namespace my-app pod-security.kubernetes.io/enforce-version=latest

If you try to launch a pod requesting root privileges in this namespace, EKS will reject it.

For a secure EKS environment, we recommend applying at least the Baseline, and if possible Restricted profile in all namespaces except kube-system.