On Wed, 14 Apr 2021, 11:33 am Yiqi Gao, ***@***.***> wrote: See new PSP replacement <https://docs.google.com/document/d/1dpfDF3Dk4HhbQe74AyCpzUYMjp4ZhiEgGXSMpVWLlqQ/edit> . The change is about replacing current PSP, which is not namespaced, with namespace labels such as podsecurity.kubernetes.io/warn=restricted. The PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25. This may affect HNC in two aspects: 1. People will use these new labels to enforce pod security policies per namespace then. Since the label is on namespaces and HNC doesn't propagate labels on a subnamespace, there's no difference of HNC creating a new subnamespace or privileged users creating a new namespace without additional labels. However, users without privileges to create namespaces may not be able to update namespace labels. So we may need to enable them to self-serve namespaces with labels. 2. The other thing that may affect HNC is that if users use HNC to propagate pods, some propagation may fail because of the mismatching pod security policy label on the local child namespace. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1473>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AE43PZAJK74HKQLKQHYAJQDTIWYU5ANCNFSM425UJKJA> .