diff --git a/prepare-labs/lib/AdmissionConfiguration.yaml b/prepare-labs/lib/AdmissionConfiguration.yaml
new file mode 100644
index 00000000..af080ccb
--- /dev/null
+++ b/prepare-labs/lib/AdmissionConfiguration.yaml
@@ -0,0 +1,21 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "privileged"
+      enforce-version: "latest"
+      audit: "baseline"
+      audit-version: "latest"
+      warn: "baseline"
+      warn-version: "latest"
+    exemptions:
+      # Array of authenticated usernames to exempt.
+      usernames: []
+      # Array of runtime class names to exempt.
+      runtimeClasses: []
+      # Array of namespaces to exempt.
+      namespaces: [ kube-system ]
diff --git a/prepare-labs/lib/commands.sh b/prepare-labs/lib/commands.sh
index 223d4cc3..f2ed982d 100644
--- a/prepare-labs/lib/commands.sh
+++ b/prepare-labs/lib/commands.sh
@@ -595,6 +595,10 @@ _cmd_kubeadm() {
     pssh -I "sudo tee /etc/containerd/config.toml" < lib/containerd-config.toml
     pssh "sudo systemctl restart containerd"
 
+    # Copy the AdmissionConfiguration file.
+    pssh "sudo mkdir -p /etc/kubernetes"
+    pssh -I "sudo tee /etc/kubernetes/AdmissionConfiguration.yaml" < lib/AdmissionConfiguration.yaml
+
     # Initialize kube control plane
     pssh --timeout 200 "
     IPV6=\$(ip -json a | jq -r '.[].addr_info[] | select(.scope==\"global\" and .family==\"inet6\") | .local' | head -n1)
@@ -613,7 +617,7 @@ _cmd_kubeadm() {
         kubeadm token generate > /tmp/token &&
         cat >/tmp/kubeadm-config.yaml <<EOF
 kind: InitConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 bootstrapTokens:
 - token: \$(cat /tmp/token)
 localAPIEndpoint:
@@ -627,7 +631,7 @@ nodeRegistration:
   $IGNORE_IPTABLES
 ---
 kind: JoinConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 discovery:
   bootstrapToken:
     apiServerEndpoint: \$(cat /etc/name_of_first_node):6443
@@ -645,10 +649,19 @@ apiVersion: kubelet.config.k8s.io/v1beta1
 failSwapOn: false
 ---
 kind: ClusterConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 apiServer:
   certSANs:
   - \$(cat /tmp/ip_address)
+  extraArgs:
+  - name: admission-control-config-file
+    value: /etc/kubernetes/AdmissionConfiguration.yaml
+  extraVolumes:
+  - name: admission-control-config-file
+    hostPath: /etc/kubernetes/AdmissionConfiguration.yaml
+    mountPath: /etc/kubernetes/AdmissionConfiguration.yaml
+    readOnly: true
+    pathType: File  
 networking:
   \$SERVICE_SUBNET
 $CLUSTER_CONFIGURATION_KUBERNETESVERSION