Label the namespace with `pod-security.kubernetes.io/enforce: restricted` and optionally `warn` and `audit` at the same or lower level
Set `spec.securityContext.runAsNonRoot: true` and `runAsUser` to a non-zero UID in Pod or Deployment specs
Set `spec.containers[].securityContext.allowPrivilegeEscalation: false` and `readOnlyRootFilesystem: true` on each container
Set `capabilities.drop: [ALL]` and add back only the specific Linux capabilities required (e.g., `NET_BIND_SERVICE`)
Apply in `warn` mode first and review warning output from `kubectl apply` before switching to `enforce`
Known gotchas
The `restricted` policy blocks many common images that run as root — audit all workloads in a namespace before setting enforce mode to avoid unexpected pod rejections
`readOnlyRootFilesystem: true` causes applications that write temporary files to `/tmp` to fail at runtime — mount an `emptyDir` volume at `/tmp` for those containers
Pod Security Admission is a built-in admission controller; it does not require a separate installation but also cannot express custom rules — use it alongside Kyverno or OPA for organization-specific policies
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp