DevOps Glossary

Kubernetes Pod Security Admission, often called PSA, is a built-in Kubernetes admission controller that checks Pod specs against the Pod Security Standards before the API server allows a create or update request. It applies policy at the namespace level using labels for the privileged, baseline, and restricted profiles, and it can enforce, warn, or audit violations. Teams use PSA to reduce risky workload settings such as privileged containers, host network or host PID access, unsafe Linux capabilities, and containers running as root. It is simpler than external policy engines because it ships with Kubernetes, but it is limited to the built-in Pod Security Standards, so teams that need custom rules often pair it with tools such as Kyverno, Gatekeeper, or admission webhooks.