A security engineer wants to enforce that all containers in a namespace run without any unnecessary Linux capabilities, dropping all capabilities by default and only adding back what is needed. Which Pod Security Standard should be applied to that namespace using PodSecurity admission?
Restricted enforces dropping all capabilities and only adding back required ones, meeting the requirement.
Why this answer
The Restricted Pod Security Standard is the most stringent profile, which enforces dropping all capabilities by default and only allowing those explicitly required. It sets `securityContext.capabilities.drop: ["ALL"]` and restricts `allowedCapabilities` to an empty set, ensuring containers run with minimal Linux capabilities. This directly matches the requirement to drop all capabilities and add back only what is needed.
Exam trap
CNCF often tests the misconception that 'Baseline' is sufficient for strict capability control, but Baseline only blocks known dangerous capabilities (e.g., `CAP_SYS_ADMIN`) and does not require dropping all capabilities, so candidates must recognize that only Restricted enforces a full drop-all policy.
How to eliminate wrong answers
Option A is wrong because the Privileged profile allows unrestricted capabilities and does not enforce dropping any, which is the opposite of the requirement. Option B is wrong because 'Custom' is not a valid Pod Security Standard; the three built-in standards are Privileged, Baseline, and Restricted. Option C is wrong because the Baseline profile only prevents known privilege escalations but does not require dropping all capabilities by default, so it does not enforce the strict capability policy needed.