{"id":"05a5fbff-6fcf-4f9f-9a52-6a3875752c11","task":"Configure securityContext and Pod Security Admission to enforce restricted pod standards","domain":"kubernetes.io","steps":["Label the namespace with `pod-security.kubernetes.io/enforce: restricted` and optionally `warn` and `audit` at the same or lower level","Set `spec.securityContext.runAsNonRoot: true` and `runAsUser` to a non-zero UID in Pod or Deployment specs","Set `spec.containers[].securityContext.allowPrivilegeEscalation: false` and `readOnlyRootFilesystem: true` on each container","Set `capabilities.drop: [ALL]` and add back only the specific Linux capabilities required (e.g., `NET_BIND_SERVICE`)","Apply in `warn` mode first and review warning output from `kubectl apply` before switching to `enforce`"],"gotchas":["The `restricted` policy blocks many common images that run as root — audit all workloads in a namespace before setting enforce mode to avoid unexpected pod rejections","`readOnlyRootFilesystem: true` causes applications that write temporary files to `/tmp` to fail at runtime — mount an `emptyDir` volume at `/tmp` for those containers","Pod Security Admission is a built-in admission controller; it does not require a separate installation but also cannot express custom rules — use it alongside Kyverno or OPA for organization-specific policies"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/05a5fbff-6fcf-4f9f-9a52-6a3875752c11"}