CME-706

Pod Security Standards (Restricted)

Isolate Application High Confidence

Description

Kubernetes Pod Security Standards at Restricted level: requires non-root, drops ALL capabilities, blocks privilege escalation, requires seccomp, blocks hostPath/hostNetwork/hostPID.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Pod cannot access host resources or escalate to host context
Privileges Required (PR) L H Non-root, no privilege escalation, minimal capabilities

CWE Relationships

CWE-269 CWE-284

Verification

Check namespace PSS enforcement label

$ kubectl get namespace <ns> -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}'
# Expected: restricted
Platform: kubernetes
← CME-705: Dropped Linux Capabilities CME-707: NoNewPrivileges →