diff --git a/psp-privileged-containers/README.md b/psp-privileged-containers/README.md
new file mode 100644
index 00000000..6ce7b1ef
--- /dev/null
+++ b/psp-privileged-containers/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`psp-privileged-containers` is a kcl PSP validation package. 
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-privileged-containers)
diff --git a/psp-privileged-containers/kcl.mod b/psp-privileged-containers/kcl.mod
new file mode 100644
index 00000000..77ae53a1
--- /dev/null
+++ b/psp-privileged-containers/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-privileged-containers"
+version = "0.1.0"
+description = "`psp-privileged-containers` is a kcl validation package"
+
diff --git a/psp-privileged-containers/kcl.mod.lock b/psp-privileged-containers/kcl.mod.lock
new file mode 100644
index 00000000..e69de29b
diff --git a/psp-privileged-containers/main.k b/psp-privileged-containers/main.k
new file mode 100644
index 00000000..86f4a682
--- /dev/null
+++ b/psp-privileged-containers/main.k
@@ -0,0 +1,42 @@
+"""Controls the ability of any container to enable privileged mode.
+Corresponds to the `privileged` field in a PodSecurityPolicy. For more
+information, see
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+"""
+
+schema Params:
+    exemptImages?: [str]
+
+params: Params = option("params")
+exemptImages: [str] = params?.exemptImages or []
+
+is_exempt = lambda image: str -> bool {
+    result = False
+    if exemptImages:
+        result = any exempt_image in exemptImages {
+            (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
+        }
+    result
+}
+
+violation = lambda container: {str:} {
+    msg = "only read-only root filesystem container is allowed: ${container.name}"
+    assert not container.securityContext?.privileged, msg
+    msg
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers: [{str:}] = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    if containers:
+        containers = [c for c in containers if not is_exempt(c.image)]
+        container_list_disallow = [c.name for c in containers if not violation(c)]
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]