Why Kubernetes Pod Security Standards Still Leak

Episode notes

In this episode of DevOps Daily, Lucas and Luna tackle a persistent security blind spot in Kubernetes: Pod Security Standards (PSS) and why they still leak sensitive data. They walk through a real-world case where a team using PSS with the 'baseline' profile left a sidecar container unmonitored, exposing database credentials. Lucas breaks down how PSS policies only check admission time, not runtime behavior, and how attackers exploit gaps like init containers and ephemeral containers. Luna shares a story from a fintech startup that discovered their PSS implementation failed because they forgot to apply it to custom namespaces. Together, they explain why you need to layer runtime security tools like Falco or OPA Gatekeeper, and how to audit your PSS policies using kubectl to catch hidden leaks. This episode is for DevOps engineers who think PSS means their cluster is secure—but want to verify it actually is.