Enforce Pod Security Standards by Configuring the Built-in Admission Controller

Kubernetes provides a built-in admission controller to enforce the Pod Security Standards. You can configure this admission controller to set cluster-wide defaults and exemptions.

Before you begin

Following an alpha release in Kubernetes v1.22, Pod Security Admission became available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available.

To check the version, enter kubectl version.

If you are not running Kubernetes 1.30, you can switch to viewing this page in the documentation for the Kubernetes version that you are running.

Configure the Admission Controller

Note: pod-security.admission.config.k8s.io/v1 configuration requires v1.25+. For v1.23 and v1.24, use v1beta1. For v1.22, use v1alpha1.

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4. - name: PodSecurity
  5. configuration:
  6. apiVersion: pod-security.admission.config.k8s.io/v1 # see compatibility note
  7. kind: PodSecurityConfiguration
  8. # Defaults applied when a mode label is not set.
  9. #
  10. # Level label values must be one of:
  11. # - "privileged" (default)
  12. # - "baseline"
  13. # - "restricted"
  14. #
  15. # Version label values must be one of:
  16. # - "latest" (default)
  17. # - specific version like "v1.30"
  18. defaults:
  19. enforce: "privileged"
  20. enforce-version: "latest"
  21. audit: "privileged"
  22. audit-version: "latest"
  23. warn: "privileged"
  24. warn-version: "latest"
  25. exemptions:
  26. # Array of authenticated usernames to exempt.
  27. usernames: []
  28. # Array of runtime class names to exempt.
  29. runtimeClasses: []
  30. # Array of namespaces to exempt.
  31. namespaces: []

Note: The above manifest needs to be specified via the --admission-control-config-file to kube-apiserver.