Pod Security Admission (PSA) is a built-in Kubernetes admission controller that enforces pod security standards at the namespace level. It replaces the deprecated PodSecurityPolicy mechanism with a simpler, opinionated model based on predefined security profiles. It ensures that pods meet specific security requirements before they are created or updated in a cluster.
How It Works
The controller evaluates pod specifications during the admission phase of the Kubernetes API request lifecycle. When a user or controller attempts to create or modify a pod, the admission controller checks the pod definition against a selected Pod Security Standard: Privileged, Baseline, or Restricted.
These standards define allowed and disallowed security settings, such as host namespace usage, privileged containers, volume types, capabilities, and seccomp profiles. Cluster administrators apply enforcement by labeling namespaces with pod-security.kubernetes.io labels that define the desired level and enforcement mode: enforce, warn, or audit.
In enforce mode, non-compliant pods are rejected. In warn mode, the request succeeds but generates a client-side warning. In audit mode, violations are logged in the audit trail. This namespace-scoped model simplifies policy management and avoids the complexity and operational risk associated with custom policy definitions.
Why It Matters
Workload isolation and least privilege are foundational to Kubernetes security. Misconfigured pods can expose host resources, escalate privileges, or bypass network boundaries. This mechanism provides a standardized and predictable way to reduce that risk across environments.
For platform teams, it lowers operational overhead. Instead of maintaining custom security policies, teams apply consistent profiles aligned with industry best practices. It also supports multi-tenant clusters by enforcing different security levels per namespace, balancing flexibility and governance.
Key Takeaway
Pod Security Admission enforces standardized, namespace-level security controls that protect Kubernetes workloads without the complexity of custom policy engines.