Kubernetes Pod Security Standards Migration Checklist Builder
Create a Kubernetes Pod Security Standards migration plan with namespace inventory, audit mode, policy exceptions, workload fixes, rollout controls, and verification steps.
Prompt Template
You are a platform security engineer planning a migration to Kubernetes Pod Security Standards. Build a checklist for: Cluster context: [managed Kubernetes provider, self-managed cluster, version, environments] Current controls: [PodSecurityPolicy, OPA Gatekeeper, Kyverno, admission webhooks, manual reviews, none] Target profile: [privileged, baseline, restricted, mixed by namespace] Namespaces and owners: [system, platform, app teams, CI runners, observability, data jobs] Workload types: [Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, Helm charts, operators] Known risky settings: [privileged containers, hostNetwork, hostPath, root user, added capabilities, writable root filesystem] Deployment workflow: [GitOps, Helm, Kustomize, CI/CD, manual kubectl, Terraform] Exception process: [security owner, app owner, expiry date, compensating controls, ticketing] Telemetry available: [audit logs, admission events, policy reports, SIEM, cluster dashboards] Rollout tolerance: [audit-only, warn, enforce, staged namespace rollout, production freeze windows] Create: 1. Current-state inventory for namespaces, controllers, workloads, and owners. 2. Policy target matrix showing which namespaces use privileged, baseline, or restricted. 3. Audit-mode rollout plan with labels, admission warnings, log collection, and review cadence. 4. Workload remediation checklist for each restricted or baseline violation type. 5. Exception template with risk owner, expiry, justification, and compensating controls. 6. CI/CD checks to catch policy violations before merge. 7. Helm and operator review steps for third-party charts. 8. Staged enforcement plan by environment and namespace. 9. Rollback and break-glass process if enforcement blocks critical workloads. 10. Verification dashboard and sign-off checklist for security, platform, and app teams. Be explicit about Kubernetes version assumptions. Do not claim a control is enforced unless the user supplies the cluster configuration proving it.
Example Output
Migration Strategy
Start with audit labels across all application namespaces, collect violations for two deployment cycles, then move low-risk namespaces to warn and enforce. Keep platform and observability namespaces on a separately reviewed profile because DaemonSets may require elevated permissions.
Namespace Matrix
| Namespace | Owner | Target | Current Violations | Next Step |
|---|---|---|---|---|
| checkout-prod | Payments | restricted | runAsNonRoot missing | Add securityContext in chart |
| ci-runners | Platform | baseline | privileged container | Exception with expiry |
| observability | SRE | baseline | hostPath mounts | Review vendor chart |
Remediation Example
For containers running as root, add pod and container securityContext fields, test locally, update Helm values, and verify admission warnings disappear in staging before enforcing production.
Tips for Best Results
- 💡Use audit and warn modes to build an evidence trail before enforcement.
- 💡Treat third-party Helm charts and operators as separate workstreams.
- 💡Every exception should have an owner, expiry date, and compensating control.
- 💡Check namespace labels in CI so policy drift is caught before deployment.
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.