openshift · bergerhoffer · Dec 15, 2022 · Nov 7, 2022 · sheriff-rh · Dec 15, 2022
diff --git a/release_notes/ocp-4-12-release-notes.adoc b/release_notes/ocp-4-12-release-notes.adoc
@@ -559,6 +559,26 @@ The Cloud Credential Operator utility (`ccoctl`) now creates secrets that use re
 
 With this release, when you xref:../installing/installing_gcp/uninstalling-cluster-gcp.adoc#cco-ccoctl-deleting-sts-resources_uninstalling-cluster-gcp[delete GCP resources with the Cloud Credential Operator utility], you must specify the directory containing the files for the component `CredentialsRequest` objects.
 
+[discrete]
+[id="ocp-4-12-psa-restricted-enforcement"]
+=== Future restricted enforcement for pod security admission
+
+Currently, pod security violations are shown as warnings and logged in the audit logs, but do not cause the pod to be rejected.
+
+Global restricted enforcement for pod security admission is currently planned for the next minor release of {product-title}. When this restricted enforcement is enabled, pods with pod security violations will be rejected.
+
+To prepare for this upcoming change, ensure that your workloads match the pod security admission profile that applies to them. Workloads that are not configured according to the enforced security standards defined globally or at the namespace level will be rejected. The `restricted-v2` SCC admits workloads according to the link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted[Restricted] Kubernetes definition.
+
+If you are receiving pod security violations, see the following resources:
+
+* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-alert-eval_understanding-and-managing-pod-security-admission[Identifying pod security violations] for information about how to find which workloads are causing pod security violations.
+
+* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-synchronization_understanding-and-managing-pod-security-admission[Security context constraint synchronization with pod security standards] to understand when pod security admission label synchronization is performed. Pod security admission labels are not synchronized in certain situations, such as the following situations:
+** The workload is running in a system-created namespace that is prefixed with `openshift-`.
+** The workload is running on a pod that was created directly without a pod controller.
+
+* If necessary, you can set a custom admission profile on the namespace or pod by setting the `pod-security.kubernetes.io/enforce` label.
+
 [id="ocp-4-12-deprecated-removed-features"]
 == Deprecated and removed features