From 9a09ac5a40b9de137ad242ae87c2fd8bb6f3e48f Mon Sep 17 00:00:00 2001
From: k8s-infra-cherrypick-robot
 <90416843+k8s-infra-cherrypick-robot@users.noreply.github.com>
Date: Tue, 19 Aug 2025 04:51:36 -0700
Subject: [PATCH] Fix: Change "empty" definition for PodSecurity Admission
 configuration (#12478)

Fixes a bug where `kube-apiserver` fails to start if the PodSecurity
configuration file doesn't have the `apiVersion` and `kind` keys.

Signed-off-by: Alejandro Macedo <alex.macedopereira@gmail.com>
Co-authored-by: Alejandro Macedo <alex.macedopereira@gmail.com>
---
 roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
index c97373306..f3f02d2c2 100644
--- a/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
@@ -1,6 +1,6 @@
-{% if kube_pod_security_use_default %}
 apiVersion: pod-security.admission.config.k8s.io/v1
 kind: PodSecurityConfiguration
+{% if kube_pod_security_use_default %}
 defaults:
   enforce: "{{ kube_pod_security_default_enforce }}"
   enforce-version: "{{ kube_pod_security_default_enforce_version }}"