Pod Security Admission is a built-in Kubernetes admission controller that enforces predefined security levels on pods at creation time. It intercepts pod creation requests and validates their security context against a configured standard—privileged, baseline, or restricted—preventing the deployment of overly permissive or insecure agent containers.
Glossary
Pod Security Admission

What is Pod Security Admission?
Pod Security Admission (PSA) is a built-in Kubernetes admission controller that enforces predefined, configurable security standards on pods at creation time, replacing the deprecated PodSecurityPolicy.
PSA operates by applying namespace labels to define the desired security posture, eliminating the complexity of the deprecated PodSecurityPolicy. The restricted level, for example, mandates that containers run as non-root, drop all capabilities, and disable host namespace sharing, directly enforcing least privilege execution for autonomous agent workloads.
Pod Security Admission Levels
Pod Security Admission (PSA) defines three distinct policy levels that control the security posture of pods at creation time, replacing the deprecated PodSecurityPolicy (PSP) with a built-in, label-driven admission controller.
Privileged
The privileged level is a completely unrestricted policy that allows all known privilege escalations. It is intended for trusted, system-level workloads managed by administrators.
- Permits host namespaces (network, PID, IPC)
- Allows privileged containers with full capabilities
- Accepts hostPath volumes and unrestricted sysctls
- Suitable for logging daemons, CNI plugins, and node agents
This level provides no security restrictions and should never be used for multi-tenant or untrusted workloads.
Baseline
The baseline level prevents known privilege escalations while allowing the default, minimally specified pod configuration. It is the recommended minimum for most application workloads.
- Blocks host namespaces and hostPath volumes
- Prohibits privileged containers and
CAP_SYS_ADMIN - Restricts hostPort ranges and
/procmount types - Allows standard volume types (configMap, secret, emptyDir)
Baseline targets the easiest-to-exploit privilege escalations while maintaining broad compatibility with existing deployments.
Restricted
The restricted level enforces the current best practices for pod hardening, following the Pod Security Standards at the cost of some compatibility. It is required for true multi-tenant environments.
- Requires
runAsNonRoot: trueand drops all capabilities - Mandates seccomp profiles (RuntimeDefault or localhost)
- Restricts volume types to projected, downwardAPI, and ephemeral only
- Enforces
allowPrivilegeEscalation: false
This level aligns with the restricted Pod Security Standard and is the target for zero-trust cluster architectures.
Namespace Label Enforcement
PSA policies are enforced at the namespace level using well-known labels, providing a declarative model that does not require modifying admission webhook configurations.
pod-security.kubernetes.io/enforce: Blocks non-compliant podspod-security.kubernetes.io/audit: Logs violations without blockingpod-security.kubernetes.io/warn: Returns warnings to the user
Each label accepts a level value (privileged, baseline, restricted) and an optional version (e.g., v1.29) to lock policy definitions to a specific Kubernetes release.
Exemption Mechanism
PSA supports fine-grained exemptions for specific users, namespaces, or runtime classes that must bypass policy enforcement. This is critical for infrastructure components.
- Usernames: Exempt specific service account identities
- RuntimeClasses: Exempt pods using a particular container runtime
- Namespaces: Exempt entire namespaces by name
Exemptions are configured in the Pod Security Admission controller configuration and should be audited regularly to prevent privilege creep in system namespaces like kube-system.
Migration from PSP
Pod Security Admission replaces the deprecated PodSecurityPolicy (PSP) with a simpler, label-based model that does not require creating and binding complex policy objects.
- PSPs were mutating; PSA is purely validating
- PSA policies map directly to the Pod Security Standards
- Use
kubectl labelto apply policies instead of RBAC bindings - The
kubectldry-run server flag (--dry-run=server) validates pods against PSA before submission
Migration tools like the PSP Migrator can analyze existing PSPs and generate equivalent namespace labels automatically.
Frequently Asked Questions
Clear, technical answers to the most common questions about enforcing Pod Security Standards natively in Kubernetes to secure autonomous agent workloads.
Pod Security Admission (PSA) is a built-in Kubernetes admission controller that enforces predefined Pod Security Standards on pods at creation time. It replaces the deprecated PodSecurityPolicy (PSP) by intercepting API server requests to create or update pods and validating their security context against one of three policy levels: privileged, baseline, or restricted. PSA operates at the namespace level using simple labels, such as pod-security.kubernetes.io/enforce: restricted, to define the desired policy. When a pod specification violates the enforced standard—for example, by requesting hostNetwork: true in a restricted namespace—the API server rejects the request with a clear error message before the pod is ever scheduled. This in-process enforcement mechanism eliminates the need for external webhooks, reducing latency and operational complexity while providing a consistent, native security barrier for agent containers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Pod Security Admission vs. Other Kubernetes Security Controls
A feature-level comparison of Pod Security Admission against Pod Security Policies, OPA/Gatekeeper, and Kyverno for enforcing pod security standards in Kubernetes clusters.
| Feature | Pod Security Admission | Pod Security Policies | OPA/Gatekeeper | Kyverno |
|---|---|---|---|---|
Built-in to Kubernetes | ||||
Enforcement point | Admission controller | Admission controller | Admission controller | Admission controller |
Policy definition format | Predefined PSA labels | Custom PodSecurityPolicy objects | Rego policy language | Kubernetes-native YAML policies |
Granularity of control | 3 predefined levels (Privileged, Baseline, Restricted) | Fine-grained per-capability control | Arbitrary custom rules | Arbitrary custom rules |
Mutating admission support | ||||
Namespace-level enforcement | ||||
Exemption mechanism | Namespace labels with warnings | RBAC-based authorization | Exclusion by namespace or object labels | Exclusion by namespace or object selectors |
Current support status | GA since Kubernetes 1.25 | Removed in Kubernetes 1.25 | CNCF graduated project | CNCF incubating project |
Related Terms
Pod Security Admission is one layer in a defense-in-depth strategy for agent sandboxing. These related concepts complete the security posture for autonomous workloads.
User Namespace Remapping
Maps a container's root user (UID 0) to an unprivileged, high-numbered UID on the host. If an agent escapes the container, it does not gain root on the host.
- Eliminates the risk of privilege escalation on container breakout
- Enabled via
userns-remapin the container runtime configuration - A foundational control that Pod Security Admission's
RunAsNonRootenforcement builds upon
Ephemeral Environment
A short-lived, disposable execution context created from a known-good image and destroyed after a single agent task. Prevents state contamination and persistent threats.
- Each agent invocation starts from a clean, immutable snapshot
- Eliminates the risk of an attacker persisting across task boundaries
- Works with Pod Security Admission to ensure even ephemeral pods meet baseline security standards

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us