Mapping PodSecurityPolicies to Pod Security Standards

    For each applicable parameter, the allowed values for the Baseline and profiles are listed. Anything outside the allowed values for those profiles would fall under the Privileged profile. “No opinion” means all values are allowed under all Pod Security Standards.

    For a step-by-step migration guide, see .

    The fields enumerated in this table are part of the PodSecurityPolicySpec, which is specified under the .spec field path.

    PodSecurityPolicy annotations

    The annotations enumerated in this table can be specified under .metadata.annotations on the PodSecurityPolicy object.

    Mapping PodSecurityPolicy annotations to Pod Security Standards
    PSP AnnotationTypePod Security Standards Equivalent
    seccomp.security.alpha.kubernetes.io
    /defaultProfileName    		MutatingNo opinion
    seccomp.security.alpha.kubernetes.io
    /allowedProfileNames    		Validating

    Baseline: “runtime/default,” (Trailing comma to allow unset)

    Restricted: “runtime/default” (No trailing comma)

    localhost/ values are also permitted for both Baseline & Restricted.

    apparmor.security.beta.kubernetes.io
    /defaultProfileName    		MutatingNo opinion
    apparmor.security.beta.kubernetes.io
    /allowedProfileNames    		Validating

    Baseline: “runtime/default,” (Trailing comma to allow unset)

    localhost/ values are also permitted for both Baseline & Restricted.