Starting with Kubernetes 1.25, Pod Security Admission now is a stable feature, coming as a replacement for Pod Security Policies.

When using Pod Security Admission in the Agents namespace though, the kubernetes-plugin generated jnlp container cannot be scheduled. In order to make it work, users need to override the container definition in the Pod YAML to add the securityContext:

apiVersion: "v1"
kind: "Pod"
spec:
  containers:
  - name: jnlp
    securityContext: 
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault 

This means that all pods' definitions will need this container override when Pod Security Admission is enabled.

Note: this securityContext proposition is targeting the restricted Pod Security Standard. Other standards would require less restrictive securityContext, but we believe that people enabling Pod Security Admission would probably target this restricted standard. Feel free to raise your concern/opinion if you this otherwise. 

As an easy and straightforward solution to this issue, we propose to  add a new global configuration in Jenkins allowing to enable or disable an automatic addition of this override.

Once enabled, the kubernetes-plugin will add this securityContext to the default jnlp container automatically.