When authz is added to PSP admission (#33080) the user submitting the request will now be taken into account for PSP selection. That means that if one user creates a pod and another user updates the pod the PSP options that the pod validates against may be different.

Since the PodSpec should not be mutable on the fields that PSP defaults anyway the PSP logic should be split so that defaulting only occurs during an ADD operations. An UPDATE operation should only attempt to validate that the user has a PSP that would allow the requested spec.

ref: https://github.com/kubernetes/kubernetes/pull/33080/files#r84148684