PSA, Kyverno & Gatekeeper
The pod-hardening floor plus custom policy.
With the admission pipeline understood, the question is which policy engine enforces what. Pod Security Admission covers the built-in pod-hardening baseline; Kyverno and Gatekeeper cover everything custom. Used together they form a defense-in-depth admission layer.
Pod Security Admission
PSA is the built-in successor to the removed PodSecurityPolicy. It enforces the Pod Security Standards — three profiles applied per namespace via labels: privileged (no restrictions), baseline (blocks the most dangerous settings), and restricted (the hardened profile: runAsNonRoot, no privilege escalation, drop ALL capabilities, seccomp RuntimeDefault, no hostPath/hostNetwork). Each profile runs in one of three modes — enforce (reject), audit (log), warn (message) — so you can roll out by labeling namespaces audit/warn first, then enforce. PSA is the cheapest, highest-value admission control you can turn on.
# Label a namespace to enforce "restricted" — and warn on the next standard up,# so you see what a stricter policy would catch before flipping it to enforce.apiVersion: v1kind: Namespacemetadata:name: prodlabels:pod-security.kubernetes.io/enforce: restrictedpod-security.kubernetes.io/enforce-version: latestpod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/audit: restricted# Non-compliant pods (privileged, hostPath, root) are now rejected in prod.
Custom policy with Kyverno / Gatekeeper
PSA governs the pod security context but cannot express arbitrary rules — for that you add a policy engine. Kyverno uses declarative YAML policies (validate, mutate, generate, verifyImages); OPA Gatekeeper uses Rego constraints. They enforce the things PSA cannot: only signed images from your registry may run, every pod must carry certain labels, no LoadBalancer services in this namespace, inject a default network policy. The pattern for both is the same as everywhere: author policy as reviewed, version-controlled code, roll it out in audit before enforce, and treat exceptions as scoped and expiring.