Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller

Your Kubernetes server must be at or later than version v1.22. To check the version, enter kubectl version.

• Ensure the feature gate is enabled.

Steps

• Eliminate mutating PodSecurityPolicies, if your cluster has any set up.
  • Clone all mutating PSPs into a non-mutating version.
  • Watch for Pods using the mutating PSPs and work with code owners to migrate to valid, non-mutating resources.
  • Delete mutating PSPs.
• Select a compatible policy level for each namespace. Analyze existing resources in the namespace to drive this decision.
  • Review the requirements of the different Pod Security Standards.
  • Evaluate the difference in privileges that would come from disabling the PSP controller.
• Apply the selected profiles in warn and audit mode. This will give you an idea of how your Pods will respond to the new policies, without breaking existing workloads. Iterate on your until they are in compliance with the selected profiles.
• Apply the profiles in mode.
• Stop including PodSecurityPolicy in the --enable-admission-plugins flag.