After labeling a namespace with pod-security.kubernetes.io/enforce=restricted, pods with privileged containers are still accepted. What is the most probable reason?
medium📝 Troubleshoot Q6 of 15
Kubernetes - RBAC and Security
After labeling a namespace with pod-security.kubernetes.io/enforce=restricted, pods with privileged containers are still accepted. What is the most probable reason?
AThe Pod Security Admission Controller is not enabled or configured properly in the API server
BThe namespace label syntax is incorrect and ignored by the controller
CPrivileged containers are allowed by default in the restricted profile
DPod Security Admission Controller only warns and does not enforce policies
Step-by-Step Solution
Solution:
Step 1: Verify controller activation
Pod Security Admission Controller must be enabled in the API server flags.
Step 2: Understand enforcement
Without the controller enabled, labels have no effect.
Step 3: Check label correctness
The label syntax is correct, and restricted profile disallows privileged containers.
Final Answer:
The Pod Security Admission Controller is not enabled or configured properly in the API server -> Option A
Quick Check:
Controller must be active for enforcement [OK]
Quick Trick:Controller must be enabled for enforcement to work [OK]
