Enforce Pod Security Standards with Namespace Labels

Your Kubernetes server must be at or later than version v1.22. To check the version, enter kubectl version.

Blocks any pods that don’t satisfy the baseline policy requirements.
Generates a user-facing warning and adds an audit annotation to any created pod that does not meet the restricted policy requirements.

Note: When an enforce policy (or version) label is added or changed, the admission plugin will test each pod in the namespace against the new policy. Violations are returned to the user as warnings.

If you’re just getting started with the Pod Security Standards, a suitable first step would be to configure all namespaces with audit annotations for a stricter level such as baseline:

Applying to a single namespace

You can update a specific namespace as well. This command adds the enforce=restricted policy to , pinning the restricted policy version to v1.23.