I described a pod in Kubernetes and saw the following error from the kubelet:

Warning  FailedCreatePodSandBox  12m (x835 over 36m)    kubelet, ip-1-2-3-4.eu-west-1.compute.internal  (combined from similar events): Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "5608c825cd175d595a89be91a27ba971e4160066a8d4690ef2ab29358dec8675" network for pod "coredns-747c45d54-627wn": NetworkPlugin cni failed to set up pod "coredns-747c45d54-627wn_kube-system" network: connection is unauthorized: pods "coredns-747c45d54-627wn" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added]

My question is around the unable to validate against any pod security policy part - my understanding of pod security policy is that the validation checks happen only at apiserver admission time (and are performed by the pod security policy admission controller) and so when the kubelet sees that it needs to run a pod it assumes it has already been validated, but this seems to not be the case and the kubelet is also performing validation.

Am I correct in saying this and is this behaviour documented anywhere? Or have I misinterpreted the error message?

Kubernetes version: 14.1