DAY 14Kubernetes

Pod Security Standards — Reject Privileged Workloads at Admission Time

Day 13 fixed who can talk to the cluster. Day 14 fixes what can run in it. Pod Security Standards is the built-in admission controller that replaces the deprecated PodSecurityPolicy — turn it on per-namespace with one label, and a Pod that asks for `privileged: true` or runs as root is rejected by the API server before it ever lands on a node. Switch the webapp to the unprivileged nginx image, lock down every Pod field PSS cares about, then watch a deliberately-bad Pod get refused in real time.

May 19, 2026 21 min read4k words

This lesson is for members

The first 7 days of 30 Days of DevOps are free. Unlock the full curriculum — every day of every series, current and future — with one membership.

Monthly

₹399

per month

Annual

₹2,999

per year

Lifetime

₹6,999

one-time

See membership plans Already a member? Sign in

Every series, all days — including future series
Verified, project-based, no fluff
Progress synced across all your devices