Run the following command and review the namespace metadata annotations:

kubectl get namespaces

Verify that the annotations pod-security.kubernetes.io/enforce equal restricted and pod-security.kubernetes.io/allowedHostPath equal false.

Add relevant annotations in namespaces to enforce restricted policies and configure allowedHostPath. Using Pod Security Admission (PSA), apply "restricted" security mode at the namespace level.

Alternatively, create and apply a Kyverno policy to restrict hostPath usage, or use Open Policy Agent (OPA) Gatekeeper to create a constraint template for an allowed hostPath to enforce and apply the policy.

For AWS EKS clusters, Kyverno or OPA Gatekeeper is recommended. For OpenShift, ensure that the Security Context Constraint (SCC) assigned to a user/group does not allow hostPath.