Pod Security Standards and Pod Security Admission

PodSecurityPolicy was removed in Kubernetes v1.25. Its replacement, the Pod Security Admission controller, shipped as GA in the same release and is enabled in every cluster by default. Yet if you haven't explicitly configured it, every namespace in your cluster runs with the Privileged profile: zero restrictions, full host access, root containers. The gate is there. It's just wide open.

The KCSA exam lists "Pod Security Standards" and "Pod Security Admissions" as the first two subtopics under Kubernetes Security Fundamentals (22% of the exam). This lesson covers the three PSS profiles, what each restricts at the pod spec level, how the PSA controller enforces them through namespace labels and cluster-wide configuration, and the multi-mode strategy that makes progressive rollout practical.