Mapping PodSecurityPolicies to Pod Security Standards

The tables below enumerate the configuration parameters on PodSecurityPolicy objects, whether the field mutates and/or validates pods, and how the configuration values map to the Pod Security Standards.

For each applicable parameter, the allowed values for the Baseline and Restricted profiles are listed. Anything outside the allowed values for those profiles would fall under the Privileged profile. "No opinion" means all values are allowed under all Pod Security Standards.

For a step-by-step migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.

PodSecurityPolicy Spec

The fields enumerated in this table are part of the PodSecurityPolicySpec, which is specified under the .spec field path.

Baseline: subset of

• AUDIT_WRITE
• CHOWN
• DAC_OVERRIDE
• FOWNER
• FSETID
• KILL
• MKNOD
• NET_BIND_SERVICE
• SETFCAP
• SETGID
• SETPCAP
• SETUID
• SYS_CHROOT

Restricted: empty / undefined / nil OR a list containing only NET_BIND_SERVICErequiredDropCapabilitiesMutating & Validating

Baseline: no opinion

Restricted: must include ALL

Baseline: anything except

• hostPath
• *

Restricted: subset of

• configMap
• csi
• downwardAPI
• emptyDir
• ephemeral
• persistentVolumeClaim
• projected
• secret

Baseline & Restricted: seLinux.rule is MustRunAs, with the following options

• user is unset ("" / undefined / nil)
• role is unset ("" / undefined / nil)
• type is unset or one of: container_t, container_init_t, container_kvm_t, container_engine_t
• level is anything

Baseline: Anything

Restricted: rule is MustRunAsNonRoot

Only mutating if set to false

Baseline: No opinion

Restricted: false

PodSecurityPolicy annotations

The annotations enumerated in this table can be specified under .metadata.annotations on the PodSecurityPolicy object.