Why Your Kubernetes Cluster Needs a Pod Security Admission
DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations · 2026-05-27 · 8 min
Episode notes
In this episode, Lucas and Luna dive into Kubernetes Pod Security Admission — the successor to PodSecurityPolicies (PSPs) that's now mandatory in Kubernetes 1.25 and later. They break down the three built-in security levels (privileged, baseline, restricted), walk through a real-world migration from PSPs to PSA for a fintech company, and explain why most teams have misconfigured their admission webhooks. Lucas shares concrete examples of how a single mislabeled namespace can expose your cluster to container escape attacks, and Luna pushes back on the complexity of adopting restricted profiles for legacy workloads. They also discuss the operational impact: how PSA affects CI/CD pipelines, why you should test admission policies with dry-run mode, and the common gotcha around ephemeral containers. If you're running Kubernetes without validating your Pod Security Admission settings, your cluster is likely less secure than you think.