The PodSecurity admission controller is the built-in, native Kubernetes mechanism for enforcing the Pod Security Standards (PSS). This controller is enabled by default in modern Kubernetes versions. Administrators can enforce specific PSS levels (Privileged, Baseline, or Restricted) on a per-namespace basis by applying labels to the namespace metadata. For example, labeling a namespace with pod-security.kubernetes.io/enforce=restricted will cause the admission controller to reject any new pods in that namespace that do not conform to the Restricted policy. This method does not require any third-party software.

A. Kyverno and OPA are powerful third-party policy engines, not native Kubernetes components. The question specifically asks for a method without third-party tools.

C. This is false. The PodSecurity admission controller is a native, built-in feature of Kubernetes that can enforce the Pod Security Standard without external tools.

D. This is incorrect. Enforcement is not automatic. An administrator must explicitly configure which policy to apply to each namespace by setting the appropriate labels.

1. Kubernetes Documentation

"Pod Security Admission": This official document states

"Pod Security Admission is a built-in admission controller that implements the security controls outlined in the Pod Security Standards." It further explains the enforcement mechanism: "The desired policy is configured on a per-namespace basis by adding labels to a namespace." (See sections: "Pod Security Admission" and "Configuring Pod Security Admission").

2. Kubernetes Documentation

"Pod Security Standards": This page defines the standards themselves and notes their enforcement via the built-in PodSecurity admission controller. (See section: "What's next?").

3. Kubernetes Documentation

"Admission Controllers Reference": The PodSecurity controller is listed as a recommended

enabled-by-default admission controller. (See section: "PodSecurity").