Skip to main content
Last updated: 27 Feb 2025

Set security restrictions for your app

Our current workloads in our Kubernetes clusters conform to the restricted profile of pod security standards (PSS). A pod that fails to meet this criteria will error on creation:

Warning: would violate PodSecurity "restricted:latest":
allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false),
unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]),
runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/nginx created

To fix this add the appropriate key-value pairs.

The generic-govuk-app is an example of a deployment that conforms to the restricted profile of PSS.