diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces.go
index f5d78528c11..a11e59f9c72 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces.go
@@ -21,7 +21,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/pod-security-admission/api"
 )
 
@@ -34,7 +33,7 @@ spec.hostNetwork
 spec.hostPID
 spec.hostIPC
 
-**Allowed Values:** false
+**Allowed Values:** undefined, false
 */
 
 func init() {
@@ -57,25 +56,25 @@ func CheckHostNamespaces() Check {
 }
 
 func hostNamespaces_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	hostNamespaces := sets.NewString()
+	var hostNamespaces []string
 
 	if podSpec.HostNetwork {
-		hostNamespaces.Insert("hostNetwork")
+		hostNamespaces = append(hostNamespaces, "hostNetwork=true")
 	}
 
 	if podSpec.HostPID {
-		hostNamespaces.Insert("hostPID")
+		hostNamespaces = append(hostNamespaces, "hostPID=true")
 	}
 
 	if podSpec.HostIPC {
-		hostNamespaces.Insert("hostIPC")
+		hostNamespaces = append(hostNamespaces, "hostIPC=true")
 	}
 
 	if len(hostNamespaces) > 0 {
 		return CheckResult{
 			Allowed:         false,
 			ForbiddenReason: "host namespaces",
-			ForbiddenDetail: strings.Join(hostNamespaces.List(), ", "),
+			ForbiddenDetail: strings.Join(hostNamespaces, ", "),
 		}
 	}
 
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces_test.go
new file mode 100644
index 00000000000..6b842e28c2f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostNamespaces_test.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestHostNamespaces(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *corev1.Pod
+		expectReason string
+		expectDetail string
+	}{
+		{
+			name: "multiple host namespaces",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				HostNetwork: true,
+				HostIPC:     true,
+				HostPID:     true,
+			}},
+			expectReason: `host namespaces`,
+			expectDetail: `hostNetwork=true, hostPID=true, hostIPC=true`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := hostNamespaces_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if result.Allowed {
+				t.Fatal("expected disallowed")
+			}
+			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+		})
+	}
+}