Governance & Power

Pod Security Admission and the Hierarchy of Trust

Pod security is a boundary between ‘works’ and ‘safe to run.’ The hierarchy of trust must be explicit and enforced.

Return to Library Governance Apply

Text

Authored as doctrine; evaluated as operations.

Doctrine

Execution privileges must be earned. PSA is an institutional tool that encodes that reality across namespaces and teams.

Kubblai doctrine: trust is tiered and reviewable, never implicit.

Rollout strategy

Start in audit/warn modes. Inventory violations. Fix workloads with the highest leverage first. Then enforce with staged exceptions.

PSA can brick deploys if rolled out blindly. Discipline matters.

Standardize namespace labels and ownership.
Make exceptions explicit, time-bound, and reviewed.
Pair enforcement with documentation and examples.

Operational realities

Legacy workloads often rely on privileges: root, hostPath, privileged containers. Removing privilege requires redesign, not policy alone.

Your goal is steady reduction of risk without destabilizing service.

Governance

PSA is governance at scale. It should be owned by the platform institution, not delegated ad-hoc to every team.

Measure violation rates and tie them to remediation programs.

Canonical Link

Canonical URL: /library/pod-security-admission-and-the-hierarchy-of-trust

Related Readings

Advanced Disciplines

Runtime Security and the Defense of the Sacred Plane

Security is not a feature; it is an operational discipline. Controls must be enforceable and survivable under load.

Governance & Power

RBAC and the Governance of Power

RBAC is the cluster’s constitution. Poorly written, it becomes silent catastrophe during incident response.

Governance & Power

Admission Control and the Rite of Judgment

Admission is where governance becomes enforceable. It is also a place where outages are born.