You configured the Pod Security Admission Controller with --pod-security-enforce=restricted, but pods with privileged containers are still being created. What is the most likely cause?
medium📝 Troubleshoot Q14 of 15
Kubernetes - RBAC and Security
You configured the Pod Security Admission Controller with --pod-security-enforce=restricted, but pods with privileged containers are still being created. What is the most likely cause?
AThe pods are created in namespaces labeled to exempt enforcement
BThe admission controller is not enabled in the API server
CThe pod spec has incorrect securityContext fields
DThe Kubernetes version does not support Pod Security Admission Controller
Step-by-Step Solution
Solution:
Step 1: Check admission controller enablement
If the controller was not enabled, no enforcement would occur cluster-wide, but the question implies partial enforcement.
Step 2: Understand namespace labels impact
Namespaces can be labeled to exempt or relax enforcement, allowing privileged pods despite cluster-wide settings.
Step 3: Consider other options
Incorrect pod specs or Kubernetes version issues would cause errors or no enforcement at all, not selective allowance.
Final Answer:
The pods are created in namespaces labeled to exempt enforcement -> Option A
Quick Check:
Namespace labels can exempt enforcement [OK]
Quick Trick:Check namespace labels for enforcement exemptions [OK]
Common Mistakes:
Assuming controller is disabled without checking labels
Ignoring namespace-level exemptions
Blaming pod spec errors for enforcement bypass
Master "RBAC and Security" in Kubernetes
9 interactive learning modes - each teaches the same concept differently
