Pod Security Contexts

Harden Kubernetes pods against privilege escalation and exploits.

Language / Topic

Kubernetes

Rules

Pod Security Contexts · balanced balanced

- Always configure `securityContext` on Pods and Containers

- Drop all capabilities (`drop: ["ALL"]`) and avoid `privileged: true`

- Set `readOnlyRootFilesystem: true` and mount EmptyDirs only where write access is required

- Drop all Linux capabilities by default (`drop: [ALL]`), then whitelist strictly necessary ones

- Set `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, and run as an explicit unprivileged UID

- Enable `readOnlyRootFilesystem: true` and mount `/tmp` as an `emptyDir` volume if temporary file writes are required by the app