Legacy GKE control: review PodSecurityPolicy migration status

Current recommendation

Do not try to enable PodSecurityPolicy on current GKE clusters. That feature was removed upstream in Kubernetes 1.25 and GKE documents migration away from PSP.

For legacy clusters that still use PSP

1. Inventory existing PodSecurityPolicy objects and the users, service accounts, or controllers that depend on them.
2. Migrate those controls to Pod Security Admission labels and any supporting admission policy you require.
3. Disable PSP before upgrading the cluster to versions where PSP is removed.

Example namespace labels for Pod Security Admission:

kubectl label --overwrite ns [NAMESPACE]   pod-security.kubernetes.io/enforce=restricted   pod-security.kubernetes.io/audit=restricted   pod-security.kubernetes.io/warn=restricted

Validate the namespace labels:

kubectl get ns [NAMESPACE] --show-labels

Important note

This repository currently has no active automated rule for this control (rules is null). Treat it as legacy content that should eventually be replaced by modern Pod Security Admission controls rather than by a PSP enablement check.

References

1. https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy
2. https://kubernetes.io/docs/concepts/security/pod-security-admission/

Service-wide remediation

Recommended when many resources are affected: replace PSP-era policy with a modern pod security baseline across all namespaces and clusters.

Standardize Pod Security Admission labels, admission policy, and workload exception handling in your platform baseline so the replacement is consistent everywhere.

Operational rollout

1. Identify legacy clusters and namespaces that still depend on PSP-era behavior.
2. Roll out Pod Security Admission labels in audit or warn mode first, then move to enforce.
3. Plan retirement of this legacy control once modern replacement controls are fully in place.