Primary function of Security Profiles PSP and Kyverno.

Tooling like PodSecurityPolicy and Kyverno exists to shape and enforce how pods run in a cluster. They set guardrails around pod specifications so that containers don’t run with risky privileges or configurations. This means they focus on pod-level security settings—things like whether a pod can run as root, what capabilities it can have, allowed volume types, whether the filesystem is read-only, and which host namespaces or elevated privileges are permitted. Kyverno adds flexibility by validating and mutating pod specs according to defined security policies across the cluster, while PSP provides a policy boundary that pods must fit within before running. Because of that focus, their primary role is not about storage provisioning, scheduling decisions, or network access controls. Network policies govern how pods talk to each other, which is a different aspect of cluster security. Therefore, the best choice is that these tools are used to define and enforce security settings at the pod level.