This guide covers:
Why PSA replaces PodSecurityPolicies (PSPs)
How PSA works using namespace labels
The three enforcement modes: enforce, audit, and warn
Real-world examples of applying PSA to production and dev environments
“PSA allows cluster administrators to enforce standardized controls without relying on third-party tools or custom configurations.”
Audit Mode:
kubectl label namespace <ns-name>l pod-security.kubernetes.io/enforce=restricted
It does not block pod creation.
It does not show warnings to users.
It does log violations in the Kubernetes audit logs.
Enforce Mode (Blocks non-compliant pods):
kubectl label namespace <your-namespace> \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest
Warn Mode (Allows pods but shows warnings):
kubectl label namespace <your-namespace> \
pod-security.kubernetes.io/warn=restricted \
pod-security.kubernetes.io/warn-version=latest
To test this Block mode and warn mode run sample workload with test namespace
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 0 # Violates restricted policy
allowPrivilegeEscalation: true
Note:
This PSA will apply only for new workloads or pods
Conclusion:
Implementing Pod Security Admission (PSA)
Pod Security Admission (PSA) is a powerful built-in Kubernetes feature that replaces the deprecated PodSecurityPolicy (PSP) mechanism. By using namespace-level labels and enforcement modes (enforce, audit, warn), PSA enables cluster administrators to apply consistent, standards-based security controls across workloads—without relying on external tools.
Implementing PSA helps:
Strengthen pod-level security posture
Simplify policy management using native Kubernetes constructs
Gradually roll out restrictions using audit and warn modes before enforcing
Whether you're securing production workloads or sandboxing development environments, PSA offers a flexible and transparent way to enforce best practices. As Kubernetes continues to evolve, PSA is the recommended path forward for pod security.
Top comments (0)