Question about replace PSP with PSA in EKS unmanaged cluster

Please be advised that as of Amazon EKS 1.23, the PodSecurity validating admission controller is already installed, as part of native Kubernetes. You do not have to install any additional OSS PSA webhook.

Amazon EKS clusters with Kubernetes versions 1.13 to 1.24 have a default pod security policy that’s named eks.privileged. This policy isn’t relevant, starting from Amazon EKS 1.25. For this particular PSP, you will not need to do anything. However, if you remove this PSP—or associated ClusterRole and ClusterRoleBinding—prior to 1.25, your Pods will not start in Amazon EKS. You will see the error you mentioned:

pods "..." is forbidden: PodSecurityPolicy: no providers available to validate pod request

So, you should not remove this PSP or associated resources prior to Amazon EKS 1.25. As of 1.25, these resources are no longer available, and you do not need to do anything to remediate them. However, you would have to remediate any PSP resources you have created, beyond the default eks.privileged PSP.

For additional information about moving from PSP to PSA/PSS, please reference our blog post: Implementing Pod Security Standards in Amazon EKS . You can also reference this OSS project, Pod Security Admission (PSA) Testing for Kubernetes 1.23 , that explains how we tested PSA/PSS when PSA went beta in Kubernetes 1.23.

Finally, there is this additional blog post, Managing Pod Security on Amazon EKS with Kyverno , that explains how to use PSA/PSS with the Policy-as-Code solution, Kyverno , in case the PSA/PSS does not provide the granular security you need, or that you had with PSP.

As always, please reach out should you have additional questions or concerns.