k8s-manifests/pod-security/namespaces/restricted.yaml

# Restricted namespace - maximum security hardening
# For sensitive workloads and untrusted code
apiVersion: v1
kind: Namespace
metadata:
  name: restricted-apps
  labels:
    # PSA labels - restricted at all levels
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest
    # Metadata
    environment: production
    security-level: restricted
  annotations:
    description: "Restricted security for sensitive and untrusted workloads"
---
# Restricted REQUIRES:
# - runAsNonRoot: true
# - allowPrivilegeEscalation: false
# - Drop ALL capabilities (except NET_BIND_SERVICE)
# - seccompProfile: RuntimeDefault or Localhost
# - Read-only root filesystem (recommended)
#
# Restricted BLOCKS:
# - Everything baseline blocks, plus:
# - Running as root
# - Privilege escalation
# - Most capabilities
# - HostPath volumes
# - Writable root filesystems (warning only)