What is the difference between Pod Security Standards and Pod Security Admission?

[Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) define three security profiles (Privileged, Baseline, Restricted) that specify what pod configurations are allowed. Pod Security Admission is the built-in admission controller that enforces these standards by validating pods against the profiles. Think of PSS as the policies and PSA as the enforcement mechanism.

Do I need to install anything to use Pod Security Admission?

No installation is required. PSA has been enabled by default in Kubernetes since version 1.23. However, it starts with privileged mode globally, so you need to configure namespace labels to enforce stricter security policies. Cloud providers like EKS, GKE, and AKS include PSA in their managed Kubernetes services.

Can Pod Security Admission work alongside other admission controllers?

Yes, PSA works seamlessly with other admission controllers including [OPA Gatekeeper](https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/), [Falco](https://falco.org/), and custom validating/mutating webhooks. PSA handles standard pod security enforcement while other controllers can implement additional policies, compliance rules, or runtime monitoring.

How does Pod Security Admission affect existing workloads?

Your existing pods keep running - PSA doesn't kill running workloads when you enable it. But here's the gotcha: when those pods restart (node drain, rolling update, crash), they'll get blocked if they violate the new security policy. I've seen teams enable PSA enforcement on Friday afternoon and come back Monday to half their apps down because pods couldn't restart over the weekend. Always test with audit mode first.

What happens to Pod Security Policies when I upgrade to Kubernetes 1.25+?

PSPs just disappear. Poof. Gone. In 1.25, the entire PSP feature was removed from Kubernetes, so any pods that relied on PSPs will fail with errors like `error validating data: unknown field "spec.securityContext.seLinuxOptions"` or similar cryptic messages. This caught a lot of teams off guard. Have your PSA migration plan ready BEFORE you upgrade, or you'll be firefighting broken deployments.

Can I use different security levels for different applications in the same namespace?

Nope. PSA is namespace-level only. Every pod in the namespace gets the same security policy. This forces you to organize your workloads properly - no more mixing dev and prod workloads in the same namespace with different security requirements. If you need fine-grained control, either create more namespaces or add OPA Gatekeeper for custom policies. Most teams end up with many more namespaces after implementing PSA.

How do I know which security profile my applications need?

Enable audit mode with the restricted profile first and check your audit logs for violations. You'll quickly see what breaks. Legacy apps usually fail restricted mode because they run as root or need write access to the root filesystem. If you see errors like `securityContext.runAsNonRoot != true`, you know your app needs to be fixed or moved to baseline. Start restrictive and work your way down until your apps actually run.

Does Pod Security Admission impact cluster performance?

PSA has minimal performance impact since it's a built-in admission controller with no external dependencies. Validation typically adds less than 1 millisecond to pod creation latency. Unlike webhook-based admission controllers, PSA doesn't introduce network calls or external service dependencies that could affect cluster stability.

Can I just disable this shit when it's blocking my deployment?

You can set the namespace to `pod-security.kubernetes.io/enforce: privileged` to turn off enforcement temporarily. But don't make this your permanent solution. The security restrictions exist because production incidents suck worse than fixing your YAML. If you're constantly hitting PSA violations, your apps probably have bigger security problems anyway.

What cloud providers support Pod Security Admission?

All the big cloud providers have PSA working, though each one has their own special way of making it complicated. [AWS EKS](https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy.html) (1.23+) keeps it simple - PSA works like vanilla Kubernetes. [Google GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/podsecurityadmission) Standard works fine, but Autopilot forces baseline mode and won't let you go privileged for user workloads (learned this when trying to run an old monitoring stack). [Azure AKS](https://learn.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security): where Microsoft took a simple concept and added 3 layers of complexity because why make it easy? They have PSA AND Azure Policy fighting each other, so you'll get confusing errors about which system is blocking your pods.

Why the hell do my pods keep getting rejected?

Check if you pinned the version wrong - `pod-security.kubernetes.io/enforce-version: v1.29`. If that's missing or wrong, PSA uses different rules than you expect. Also, both your pod AND containers need security contexts for restricted mode. And don't forget init containers - they need to follow the policy too. The error messages are better than PSP's garbage, but they're still cryptic half the time. `violates PodSecurity "restricted:latest": securityContext.runAsNonRoot != true` means you forgot to set `runAsNonRoot: true` in your security context.

Is Pod Security Admission suitable for regulatory compliance?

PSA handles the real security problems. For compliance theater and auditor checkbox-checking, you'll need OPA Gatekeeper and a lot of patience. The three standard profiles handle the obvious security holes, but compliance frameworks love their specific requirements that PSA doesn't know about. Most teams end up adding OPA Gatekeeper for the compliance theater while PSA does the actual security work.

Can I create custom security profiles beyond the three standard ones?

No, PSA only supports the three predefined profiles (Privileged, Baseline, Restricted) as defined by the Pod Security Standards. If you need custom security policies beyond these profiles, consider using OPA Gatekeeper for additional validation or implementing custom admission webhooks alongside PSA.

How does Pod Security Admission handle init containers and ephemeral containers?

PSA validates all container types within a pod, including init containers, ephemeral containers, and sidecar containers. All containers must comply with the namespace's security profile. This means that if your main application container is compliant but an init container violates the policy, the entire pod will be rejected.

What's the migration path from Pod Security Policies to Pod Security Admission?

Follow the [official migration guide](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/) but here's what they don't tell you: start with audit mode in ONE namespace first, not your entire cluster. I watched a team enable PSA audit globally and get flooded with thousands of violation logs from 47 different PSPs they'd forgotten existed. Check your audit logs for a week, fix the obvious violations, then enable warn mode so users see what's coming. Only then enable enforcement, and do it namespace by namespace. Don't touch PSPs until PSA is rock solid - I've seen teams accidentally delete their PSPs during "cleanup" and lose all security for 6 hours until they figured out what happened.

What happens to my existing workloads when I enable PSA?

Your running pods keep running - PSA doesn't kill anything. But here's the gotcha: when those pods restart (node maintenance, rolling update, crash), they'll get blocked if they violate the new policy. I've seen teams enable PSA on Friday and come back Monday to half their apps down because pods couldn't restart over the weekend. Always test with audit mode first - run `kubectl get events --field-selector type=Warning` to see what would break.

Why do my pods keep getting rejected even though I set the namespace labels?

Check if you have the version pinned correctly - `pod-security.kubernetes.io/enforce-version: v1.29`. If the version is wrong or missing, PSA might use different policy rules than you expect. Also check if your pod spec includes security contexts for both the pod AND containers - restricted mode requires both. Another gotcha: init containers and ephemeral containers must also comply with the policy.

Currently viewing the AI version

Switch to human version

Pod Security Admission (PSA) - AI-Optimized Technical Reference

Core Functionality

What PSA Does:

Built-in Kubernetes validating admission controller (enabled by default since v1.23)
Enforces three predefined security profiles via namespace labels
Replaces deprecated Pod Security Policies (PSPs) removed in v1.25
Validates pods before creation, rejects non-compliant workloads immediately

Key Technical Advantage:

Namespace-label based policy assignment eliminates RBAC complexity
Built into API server (no webhook timeouts or external dependencies)
Sub-millisecond validation performance (<1ms per pod)

Configuration That Works in Production

Essential Namespace Configuration

apiVersion: v1
kind: Namespace
metadata:
  name: production-workloads
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: v1.29  # CRITICAL: Always pin version
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.29
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: v1.29

Critical Configuration Requirements:

Always pin version (enforce-version: v1.29) - Kubernetes upgrades change policy rules without warning
Use three enforcement modes during rollout:
- audit: Logs violations without blocking (for discovery)
- warn: Shows warnings to users (for preparation)
- enforce: Blocks violating pods (for production)

Security Profile Selection

Profile	Use Case	Blocks	Allows
Privileged	System pods, legacy apps	Nothing	Root users, host access, privileged containers
Baseline	Most production workloads	Privileged containers, host networking	Root users, most capabilities
Restricted	Cloud-native apps only	Root users, most capabilities, host access	Non-root only, read-only root FS

Profile Selection Reality:

Privileged: Required for kube-proxy, CNI drivers, most legacy applications
Baseline: Where 80% of production workloads end up (developers haven't fixed root user dependencies)
Restricted: Only works for applications designed with security from day one

Implementation Failure Scenarios

Critical Migration Failures

PSP to PSA Migration Gotchas:

Existing pods continue running but fail to restart when nodes drain/pods crash
Friday afternoon PSA enablement → Monday morning half the applications down
Missing version pinning → Kubernetes upgrades silently change security policies
Global audit mode → Thousands of violation logs flood monitoring systems

Common Production Failures

Pod Rejection Scenarios:

# This will fail in restricted mode - missing security context
spec:
  containers:
  - name: app
    image: myapp:latest
    # ERROR: No securityContext specified

Required Fix for Restricted Mode:

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]

Hidden Validation Requirements:

Both pod AND container security contexts required for restricted mode
Init containers must also comply with namespace policy
Ephemeral containers validated against same rules
Sidecar containers injected by operators can violate policy and block entire pod

Cloud Provider Specific Issues

Amazon EKS:

Works as expected, no surprises
PSA enabled in privileged mode by default

Google GKE:

Standard clusters: Normal PSA behavior
Autopilot clusters: Forces baseline mode, cannot override to privileged for user workloads
Migration blocker: Legacy monitoring stacks requiring privileged access

Azure AKS:

Policy conflict hell: PSA AND Azure Policy can fight each other
Confusing error messages: Multiple systems blocking same pod with different reasons
Recommendation: Choose PSA OR Azure Policy, not both

Resource Requirements and Costs

Time Investment for Migration

Discovery phase: 1-2 weeks running audit mode to identify violations
Remediation per application: 2-8 hours depending on security context requirements
Testing and validation: 1 week per environment
Total migration time: 4-12 weeks for medium-sized clusters

Expertise Requirements

Kubernetes security context understanding: Medium complexity
YAML debugging skills: Required for violation troubleshooting
Namespace organization: Critical for policy boundaries

Hidden Costs

Increased namespace count: PSA forces proper workload separation
Application refactoring: Legacy apps requiring root access need code changes
Monitoring system updates: Need to handle PSA violation logs

Performance and Operational Impact

Performance Characteristics

Validation latency: <1ms per pod creation
Memory overhead: Negligible (namespace policies cached in memory)
CPU impact: Minimal (simple security context comparisons)
Scale limit: None identified (scales with API server capacity)

Monitoring Requirements

# Essential monitoring commands
kubectl describe pod <pod-name>  # Shows PSA rejection reasons in events
kubectl get events --field-selector type=Warning  # Shows what would break
kubectl get namespace -o yaml  # Verify which policies are active

Decision Criteria: When PSA is Worth It

PSA vs Alternatives Comparison

Solution	Installation	Learning Curve	Policy Flexibility	Maintenance	Performance
PSA	Built-in	Low (3 profiles)	Limited to standards	None	Minimal
OPA Gatekeeper	External deployment	High (Rego language)	Unlimited custom	High monitoring overhead	Low impact
Falco	Daemon deployment	Medium	Event-based only	Daemon management	High CPU usage

Use PSA When:

Standard security profiles meet requirements
Want zero operational overhead
Need consistent policy across cloud providers
Migrating from deprecated PSPs

Add OPA Gatekeeper When:

Need custom compliance policies beyond three standard profiles
Require fine-grained per-workload policies within namespaces
Compliance frameworks demand specific controls not in PSA

Critical Warnings and Gotchas

What Official Documentation Doesn't Tell You

Version Pinning Critical:

Unpinned versions (latest) change behavior during Kubernetes upgrades
Policy rules can become stricter without warning
Always use specific versions: v1.29 not latest

Namespace Organization Impact:

Cannot have different security levels for workloads in same namespace
Forces organizational changes to namespace structure
Dev/prod workload separation becomes mandatory

Existing Workload Behavior:

Running pods unaffected by PSA policy changes
Pods fail to restart during maintenance/crashes if they violate new policies
Zero-downtime migration requires careful audit mode planning

Breaking Points and Failure Modes

Failure Conditions:

Legacy applications requiring root access fail restricted mode
Applications needing host filesystem access fail baseline/restricted modes
Init containers with privileged requirements break entire pod
Sidecar injection by service mesh operators can violate policies

Recovery Strategies:

Temporary privileged mode override for emergency deployments
Namespace-level policy relaxation during incidents
Application-specific namespace creation for incompatible workloads

Migration Strategy for Production

Phase 1: Discovery (Week 1-2)

Enable audit mode with restricted profile globally
Monitor audit logs for violations
Catalog applications by security profile requirements
Identify applications requiring remediation

Phase 2: Preparation (Week 3-6)

Enable warn mode for user feedback
Remediate applications for target security profiles
Create namespace organization plan
Test policy enforcement in staging environments

Phase 3: Enforcement (Week 7-12)

Enable enforcement namespace by namespace
Start with new applications and least critical workloads
Migrate critical production workloads last
Maintain emergency override procedures

Phase 4: Optimization (Ongoing)

Monitor for policy violations
Upgrade applications to higher security profiles when possible
Review and tighten policies based on operational experience

Troubleshooting Guide

Common Error Messages and Solutions

Error: violates PodSecurity "restricted:latest": securityContext.runAsNonRoot != true
Solution: Add runAsNonRoot: true and runAsUser: 1000 to pod security context

Error: violates PodSecurity "baseline:latest": allowPrivilegeEscalation != false
Solution: Set allowPrivilegeEscalation: false in container security context

Error: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false
Solution: Add complete security context with all required fields for restricted mode

Debugging Workflow

Check namespace labels with kubectl get namespace <name> -o yaml
Verify version pinning is correct for cluster version
Review pod security context completeness
Test with kubectl apply --dry-run=server before actual deployment
Use audit mode temporarily to identify all violations

This technical reference provides the operational intelligence needed for successful PSA implementation while avoiding the common pitfalls that cause production failures.

Useful Links for Further Investigation

Essential Pod Security Admission Resources

Link	Description
Pod Security Admission	The official documentation for Pod Security Admission. Comprehensive but dry, it serves as a good reference once you understand the basics.
Pod Security Standards	This documentation, though dry, is necessary as it tells you exactly what each Pod Security Standard level blocks.
Admission Controllers Overview	A dry but complete overview explaining how Pod Security Admission fits into the broader Kubernetes admission control chain.
Enforcing Pod Security Standards	A best practices guide for implementing Pod Security Standards in production environments, covering gradual rollout strategies and common pitfall avoidance.
Migrate from PodSecurityPolicy to PSA	This is the actual migration guide for transitioning from PodSecurityPolicy to Pod Security Admission. Following it is crucial to avoid weeks of debugging broken policies.
Configure Security Context	The most useful documentation for fixing Pod Security Admission violations, providing working examples that are proven to be effective.
Namespace Label Configuration	Step-by-step instructions for applying Pod Security Admission policies using namespace labels, including details on version pinning and enforcement mode configuration.
Amazon EKS Pod Security Standards	AWS-specific guidance for implementing Pod Security Admission in EKS clusters, covering default configurations and integration with AWS security services.
Google GKE Pod Security Admission	Google Cloud documentation for Pod Security Admission implementation in both GKE Standard and Autopilot clusters, including provider-specific configuration options.
Azure AKS Pod Security	Microsoft Azure's guide to pod security best practices in AKS, covering Pod Security Admission configuration and Azure Policy integration considerations.
Open Policy Agent Gatekeeper	Official Gatekeeper documentation for Kubernetes, providing details on implementing policy enforcement. Be prepared for the complexities of Rego if choosing this solution.
Falco Runtime Security	Documentation for Falco, a runtime security tool that provides continuous monitoring to detect suspicious activity, though it may generate extensive logs.
Pod Security Policy Deprecation Notice	The official announcement explaining the deprecation of Pod Security Policies and how Pod Security Admission was designed to address the identified issues.
Kubernetes Security Slack	An active community discussion channel for authentication and authorization topics, offering assistance with Pod Security Admission implementation questions and troubleshooting.
Pod Security Standards KEP	The Kubernetes Enhancement Proposal that guided the development of Pod Security Admission, offering detailed context on design decisions and implementation rationale.
Security Context Constraints (OpenShift)	Red Hat OpenShift's alternative approach to pod security, which is useful for understanding different implementation strategies and migration considerations.
kubectl dry-run	Documentation for kubectl dry-run, an essential command for testing Pod Security Admission policies safely without making actual changes to your cluster.
Polaris	A useful tool for catching Pod Security Admission violations and other misconfigurations before they are deployed to your Kubernetes cluster.
kube-score	A lighter alternative to Polaris, kube-score effectively catches most Pod Security Admission violations and other common issues before deployment.
CIS Kubernetes Benchmark	Industry standard security configuration guidelines for Kubernetes, designed to complement and enhance the implementation of Pod Security Standards.
NSA/CISA Kubernetes Hardening Guide	Government security recommendations for Kubernetes deployment, offering additional context for Pod Security Admission usage within secure environments.

Pod Security Admission (PSA) - AI-Optimized Technical Reference

Core Functionality

Configuration That Works in Production

Essential Namespace Configuration

Security Profile Selection

Implementation Failure Scenarios

Critical Migration Failures

Common Production Failures

Cloud Provider Specific Issues

Resource Requirements and Costs

Time Investment for Migration

Expertise Requirements

Hidden Costs

Performance and Operational Impact

Performance Characteristics

Monitoring Requirements

Decision Criteria: When PSA is Worth It

PSA vs Alternatives Comparison

Use PSA When:

Add OPA Gatekeeper When:

Critical Warnings and Gotchas

What Official Documentation Doesn't Tell You

Breaking Points and Failure Modes

Migration Strategy for Production

Phase 1: Discovery (Week 1-2)

Phase 2: Preparation (Week 3-6)

Phase 3: Enforcement (Week 7-12)

Phase 4: Optimization (Ongoing)

Troubleshooting Guide

Common Error Messages and Solutions

Debugging Workflow

Useful Links for Further Investigation

Essential Pod Security Admission Resources

Related Tools & Recommendations

Pod Security Standards - Three Security Levels Instead of Policy Hell

GKE Security That Actually Stops Attacks

Pod Security Admission Implementation Guide

Open Policy Agent (OPA) - Policy Engine That Centralizes Your Authorization Hell

Complete Kubernetes Security Monitoring Stack Setup - Zero to Production

RHACS Security Incident Response

Kubernetes Security Policies Are Blocking Everything - Here's How to Actually Fix It

Amazon EKS - Managed Kubernetes That Actually Works

Google Kubernetes Engine (GKE) - Google's Managed Kubernetes (That Actually Works Most of the Time)

jQuery - The Library That Won't Die

Your Kubernetes Cluster is Probably Fucked

Hardening GKE Enterprise - Security That Actually Works

RHACS Compliance Implementation: Stop Panicking When Auditors Show Up

Container Runtime Security is Where Everything Goes to Hell

Hoppscotch - Open Source API Development Ecosystem

Stop Jira from Sucking: Performance Troubleshooting That Works

kube-bench - Actually Useful K8s Security Auditing

cert-manager - Stops You From Getting Paged at 3AM Because Certs Expired Again

Northflank - Deploy Stuff Without Kubernetes Nightmares

RHACS Troubleshooting Guide: Fix the Stuff That Breaks