Pod Security Standards: Admission Control and Secure Pod Configuration

Calendar February 22, 2026
Security
Intermediate
Pod-Security-Configuration, Admission-Control-Setup, Security-Context-Hardening, Policy-Engine-Deployment
Pod-Security, Psa, Security-Context, Opa-Gatekeeper, Kyverno, Admission-Control
Kubectl, Opa-Gatekeeper, Kyverno

Pod Security Standards#

Kubernetes Pod Security Standards define three security profiles that control what pods are allowed to do. Pod Security Admission (PSA) enforces these standards at the namespace level. This is the replacement for PodSecurityPolicy, which was removed in Kubernetes 1.25.

The Three Levels#

Privileged – Unrestricted. No security controls applied. Used for system-level workloads like CNI plugins, storage drivers, and logging agents that genuinely need host access.

Baseline – Prevents known privilege escalations. Blocks hostNetwork, hostPID, hostIPC, privileged containers, and most host path mounts. Allows most workloads to run without modification.

Pod Security Standards and Admission: Replacing PodSecurityPolicy

Calendar February 21, 2026
Kubernetes
Intermediate
Pod-Security-Configuration, Namespace-Security, Migration-Planning, Security-Hardening
Pod-Security, Psa, Psp, Security, Admission-Control
Kubectl

Pod Security Standards and Admission#

PodSecurityPolicy (PSP) was removed from Kubernetes in v1.25. Its replacement is Pod Security Admission (PSA), a built-in admission controller that enforces three predefined security profiles. PSA is simpler than PSP – no separate policy objects, no RBAC bindings to manage – but it is also less flexible. You apply security standards to namespaces via labels and the admission controller handles enforcement.

The Three Security Standards#

Kubernetes defines three Pod Security Standards, each progressively more restrictive: