PodSecurityPolicies (PSP) are gone; Pod Security Standards + Pod Security Admission are the replacement. They define three profiles — privileged, baseline, restricted — and enforce them per namespace. Getting workloads to fit 'restricted' is one of the highest-leverage hardening efforts.
Privileged — anything goes
All capabilities, host network, host paths, runAsRoot — anything. Right for system components in kube-system. Wrong for app workloads.
Baseline — minimum prevention
Blocks host network, host PID, privileged containers, hostPath volumes, dangerous capabilities (CAP_SYS_ADMIN etc.). Allows runAsRoot, unrestricted user/group. Reasonable lift for legacy apps. Aim here at minimum.
Restricted — modern default
Adds: must run as non-root, must drop ALL capabilities, must use seccomp RuntimeDefault, must use read-only root filesystem. New apps should be here on day one.
How to enforce
Label the namespace: pod-security.kubernetes.io/enforce: restricted. Add warn and audit labels too — they log violations without blocking. Run in audit mode for a release before enforcing.
Migration tactics
Start with audit mode and review logs. Fix the highest-violation workloads first (often base images that assume root). Use distroless or chainguard images to satisfy non-root by default. Test cases: filesystem writes (mount emptyDir + writable volume), port binding (use 1024+).