Leveling up Kubernetes Posture: From baselines to risk-aware admission

Kubernetes posture management typically begins with basic guardrails, such as Pod Security Standards (PSS), which provide a foundation by blocking obviously unsafe workloads. However, these baselines can become inadequate as modern Kubernetes environments evolve to include complex workloads with unique security needs. The default Pod Security Admission (PSA) offers predictable but limited enforcement, focusing on broad security levels without considering specific workload contexts. As environments mature, the need for more expressive and contextual risk management becomes apparent, prompting some teams to explore more flexible admission frameworks like OPA Gatekeeper or Sysdig. These tools allow for more granular enforcement by considering workload identity, ownership, and other attributes, enabling risk-aware decisions that go beyond simple checklist compliance. While PSA establishes a baseline, tools like Sysdig can enhance posture management by incorporating vulnerability assessments and contextual considerations, allowing teams to maintain robust security without compromising operational needs. This shift from static checklists to informed decision-making ensures that Kubernetes security reflects the diverse and dynamic nature of modern workloads, balancing pre-admission controls with runtime security for comprehensive protection.