This section provides information for managing security for TKG Service clusters. What to read next Security for TKG Service ClustersTKG Service with Supervisor leverages vSphere security features and lets you provision workload clusters that are secure by default. Configure PSA for TKR 1.25 and LaterTKG releases v1.25 and later enable the Pod Security Admission (PSA) controller. With PSA you can uniformly enforce pod security using namespace labels. Configure PSP for TKR 1.24 and EarilerTKG on Supervisor supports pod security using the Pod Security Policy admission controller, which is enabled by default for TKG clusters using TKR v1.24 and earlier. Apply Default Pod Security Policy to TKG Service ClustersTKG Service clusters using TKR 1.24 and eariler include default pod security policy that you can bind to for privileged and restricted workload deployment. Managing TLS Certificates for TKG Service ClustersvSphere IaaS control plane uses Transport Layer Security (TLS) encryption to secure communications among components. TKG on Supervisor includes several TLS certificates supporting this cryptographic infrastructure. Supervisor certificate rotatation is manual. TKG certificate rotation is automated, but can be done manually if necessary. Rotate NSX CertificatesSupervisor uses TLS for communication between Supervisor and NSX. There are various NSX certificates you may need to rotate if you have deployed Supervisor with the NSX networking stack.