When legacy workloads need NET_RAW, blanket Pod Security Admission enforcement breaks them — this episode walks through using Kyverno mutation policies to handle the exception without weakening your cluster-wide baseline.
You'll learn:
- Why NET_RAW is dropped by the Kubernetes restricted and baseline PSA profiles and what that breaks in practice
- How to write a Kyverno mutate policy that injects a securityContext exception for specific legacy workloads
- Namespace-scoping strategies so your mutation doesn't accidentally widen the attack surface cluster-wide
- How to test policy enforcement with kubectl --dry-run and Kyverno's CLI before rolling to production
- Common gotchas: policy ordering, admission webhook conflicts, and audit vs enforce mode differences
Keywords: Kyverno mutation policy, Pod Security Admission NET_RAW, Kubernetes pod security, PSA legacy workloads, Kyverno securityContext
🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud
