Default PSS not getting applied at cluster level - rke2 v1.25 and CIS profile 1.23

[shindebshekhar]

Rke2 version: v1.25
CIS Version - 1.23

Issue:
After passing "pod-security-admission-config-file: /tmp/rancher-pss.yaml" to the RKE2 config file. The default setting(enforce:restricted) in below rancher-pss.yaml is not getting applied

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system, tigera-operator]

I am able to deploy pod with parameters which are only allowed in privileged PSA like allow container to run-as-root. If the policy is default restricted then ideally it should not allow. Moreover if I change the default to "baseline" it doesn't work as expected
.
The PSA only gets applied If I manually label namespace with PSA(enforce: restricted/baseline/privileged" then only it works but the default at cluster level doesn't work.

[brandond]

Are you also setting the profile value in your config?

Can you show the kube-apiserver static pod manifest from the node in question to confirm that the pod security admission file is being passed in to the apiserver, and confirm that there are not any errors in the apiserver logs?