---
title: "Workload Security"
description: "Runtime security policies for Kubernetes workloads. Enforce security contexts, restrict dangerous capabilities, control volume mounts, and harden container configurations."
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/workload-security/
---


Kyverno policies for hardening Kubernetes workload runtime security beyond the Pod Security Standards.

## What's Covered

- **Security context enforcement** — Require non-root users, read-only root filesystems
- **Capability restrictions** — Drop all capabilities, allowlist only what's needed
- **Volume security** — Restrict sensitive host path mounts
- **Network security** — Enforce endpoint protection and egress controls
- **RBAC restrictions** — Prevent over-privileged service account bindings

All workload security policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/workload-security).