Which mode of the Pod Security Admission Controller enforces policies and blocks pods that do not comply?
Think about which mode actively stops non-compliant pods from running.
Enforce mode blocks pods that violate the security policies, preventing them from being created or updated.
What is the output when a pod violates the 'restricted' Pod Security Admission policy in enforce mode?
kubectl apply -f pod.yamlEnforce mode blocks pods and returns an error message.
In enforce mode, the admission controller denies pod creation and returns a forbidden error with details about the violation.
Which YAML snippet correctly configures the Pod Security Admission Controller to enforce the 'baseline' policy on the namespace 'dev-team'?
Enforce annotation applies the policy strictly.
The 'pod-security.kubernetes.io/enforce' annotation with value 'baseline' applies the baseline policy in enforce mode to the namespace.
A developer reports that their pod creation fails with the message: admission webhook "podsecurity.k8s.io" denied the request: restricted: forbidden fields present. What is the most likely cause?
Focus on the 'forbidden fields present' part of the error message.
The error indicates the pod spec violates the enforced 'restricted' policy by including disallowed fields such as privileged containers or host networking.
You want to upgrade a namespace from 'baseline' to 'restricted' Pod Security policy without breaking existing workloads. Which sequence of steps is best?
Think about a safe upgrade path that warns first before enforcing.
First warn to detect violations, fix them, then enforce the policy, and finally clean up the warn annotation.