Admission Policy Bouncer

You are the admission controller. Pods arrive at the door with their security specs — swipe right to admit, swipe left to deny, based on the active policy. Eight levels covering privileged containers, host namespaces, non-root enforcement, capabilities, image registries, resource limits, privilege escalation, and the full PSA restricted profile.