How Kubernetes Pod Security Contexts Still Leak Privileges
DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations · 2026-06-21 · 8 min
Episode notes
Lucas and Luna break down why Kubernetes Pod Security Contexts — the container-level permissions layer — still allow privilege leaks in production. They walk through a real incident at a mid-size fintech where a sidecar container with an innocent-looking securityContext gained host-level access via CAP_SYS_ADMIN and a misconfigured seccomp profile. The episode covers the specific fields that cause drift: allowPrivilegeEscalation, capabilities.add, and seccompProfile.type set to Unconfined. Lucas explains how Pod Security Standards (baseline, restricted) don't catch all violations when applied at namespace level, especially when pods use custom runtime classes. Luna shares a counterexample where a team over-restricted and broke their Istio sidecars. The episode closes on the tension between security and operational flexibility, and the need for admission controllers that test runtime behavior, not just static manifests.