Pod Security Admission

PSA replaces PSP. The migration.

Modes

enforce, audit, warn per namespace.

Test with audit; switch to enforce.

Levels

privileged, baseline, restricted.

Baseline default; restricted for hardened.

Migrate

Per namespace; prod last.

Catches the egregious before it ships.