Pod Security Standards define a set of security profiles for Pods in Kubernetes, establishing clear expectations for how securely workloads should be configured. These standards were introduced to replace the deprecated PodSecurityPolicies (PSP) and are enforced through the Pod Security Admission controller. The standards are intentionally ordered from least restrictive to most restrictive to allow clusters to adopt security controls progressively.
The correct order from most permissive to most restrictive is: Privileged → Baseline → Restricted, which makes option A the correct answer.
The Privileged profile is the least restrictive. It allows Pods to run with elevated permissions, including privileged containers, host networking, host PID/IPC namespaces, and unrestricted access to host resources. This level is intended for trusted system components, infrastructure workloads, or cases where full access to the host is required. It offers maximum flexibility but minimal security enforcement.
The Baseline profile introduces a moderate level of security. It prevents common privilege escalation vectors, such as running privileged containers or using host namespaces, while still allowing typical application workloads to function without significant modification. Baseline is designed to be broadly compatible with most applications and serves as a reasonable default security posture for many clusters.
The Restricted profile is the most secure and restrictive. It enforces strong security best practices, such as requiring containers to run as non-root users, dropping unnecessary Linux capabilities, enforcing read-only root filesystems where possible, and preventing privilege escalation. Restricted is ideal for highly sensitive workloads or environments with strict security requirements, though it may require application changes to comply.
Options B, C, and D are incorrect because they misrepresent the intended progression of security strictness defined in Kubernetes documentation.
According to Kubernetes documentation, the Pod Security Standards are explicitly ordered to support gradual adoption: start permissive where necessary and move toward stronger security over time. Therefore, Privileged, Baseline, Restricted is the accurate and fully verified ordering, making option A the correct answer.
