Pod Security Standards: Admission Control and Secure Pod Configuration

Calendar February 22, 2026
Security
Intermediate
Pod-Security-Configuration, Admission-Control-Setup, Security-Context-Hardening, Policy-Engine-Deployment
Pod-Security, Psa, Security-Context, Opa-Gatekeeper, Kyverno, Admission-Control
Kubectl, Opa-Gatekeeper, Kyverno

Pod Security Standards#

Kubernetes Pod Security Standards define three security profiles that control what pods are allowed to do. Pod Security Admission (PSA) enforces these standards at the namespace level. This is the replacement for PodSecurityPolicy, which was removed in Kubernetes 1.25.

The Three Levels#

Privileged – Unrestricted. No security controls applied. Used for system-level workloads like CNI plugins, storage drivers, and logging agents that genuinely need host access.

Baseline – Prevents known privilege escalations. Blocks hostNetwork, hostPID, hostIPC, privileged containers, and most host path mounts. Allows most workloads to run without modification.