Baseline Policies
Pod Security Standards Baseline policies applied cluster-wide. These prevent known privilege escalation vectors and are the minimum security requirement for all workloads.
Policies
disallow-privileged.yamlβ Block privileged containersdisallow-host-namespaces.yamlβ Block hostPID, hostIPC, hostNetworkdisallow-host-ports.yamlβ Block hostPort usagerestrict-sysctls.yamlβ Allow only safe sysctls
Scope
Applied as ClusterPolicy resources β enforced in all namespaces except explicitly excluded platform namespaces (kube-system, istio-system, flux-system).