--- title: "Pod Security Standards" diataxis: reference applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/policy-sets/podsecurity/ --- The Pod Security Standards define three profiles to broadly cover the security spectrum. They are as follows - - Privileged - Baseline - Restricted Nirmata provides Kyverno policies mapped to each of the above controls from the Baseline and Restricted profiles. Refer to the official [Kubernetes documentation](https://kubernetes.io/docs/concepts/security/pod-security-standards/) to learn more about the profiles themselves. To install all the policies for Pod Security Standards, refer to the instructions provided in the [README](https://github.com/nirmata/kyverno-policies/tree/main/pod-security) guide. Click on the below profiles to dig deeper into the controls and their associated Kyverno policy. Nirmata also provides a reference to what a good resource looks like that conforms to these policies. --- ## Baseline profile The Baseline profile is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations. It is targeted at application operators and developers of non-critical applications. Click on each of the controls to know more about them. - [disallow-capabilties](./disallow-capabilities/) - [disallow-host-namespaces](./disallow-host-namespaces/) - [disallow-host-path](./disallow-host-path/) - [disallow-host-ports](./disallow-host-ports/) - [disallow-host-process](./disallow-host-process/) - [disallow-privileged-containers](./disallow-privileged-containers/) - [disallow-proc-mount](./disallow-proc-mount/) - [disallow-selinux](./disallow-selinux/) - [restrict-apparmor-profiles](./restrict-apparmor-profiles/) - [restrict-seccomp](./restrict-seccomp/) - [restrict-sysctls](./restrict-sysctls/) --- ## Restricted profile The Restricted policy is aimed at enforcing current Pod hardening best practices, at the expense of some compatibility. It is targeted at operators and developers of security-critical applications, as well as lower-trust users. Click on each of the controls to know more about them. - [disallow-capabilities-strict](./disallow-capabilities-strict/) - [disallow-privilege-escalation](./disallow-privilege-escalation/) - [require-run-as-non-root-user](./require-run-as-non-root-user/) - [require-run-as-non-root](./require-run-as-non-root/) - [restrict-seccomp-strict](./restrict-seccomp-strict/) - [restrict-volume-types](./restrict-volume-types/)