A cluster admin set pod-security.kubernetes.io/enforce=baseline on a namespace, but pods with hostPath volumes are still allowed. What should be checked to fix this?

medium📝 Troubleshoot Q7 of 15

Kubernetes - RBAC and Security

A cluster admin set pod-security.kubernetes.io/enforce=baseline on a namespace, but pods with hostPath volumes are still allowed. What should be checked to fix this?

AAdd a network policy to block hostPath volumes.

BChange the label to enforce=restricted instead of baseline.

CRemove the label to disable pod security enforcement.

DVerify if the Pod Security Admission Controller webhook is properly configured.

Step-by-Step Solution

Solution:

Step 1: Understand baseline profile restrictions
Baseline profile allows hostPath volumes; the restricted profile forbids them.
Step 2: To block hostPath volumes
Change the label to enforce=restricted to apply the stricter policy.
Final Answer:
Change the label to enforce=restricted instead of baseline. -> Option B
Quick Check:
Restricted blocks hostPath; baseline allows [OK]

Quick Trick: Baseline allows hostPath; use restricted to block [OK]

Common Mistakes:

Confusing baseline with restricted profile
Checking webhook unnecessarily
Using network policy for volume restrictions

Master "RBAC and Security" in Kubernetes

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More Kubernetes Quizzes

A cluster admin set pod-security.kubernetes.io/enforce=baseline on a namespace, but pods with hostPath volumes are still allowed. What should be checked to fix this?

Step 1: Understand baseline profile restrictions

Step 2: To block hostPath volumes

Final Answer:

Quick Check:

Want More Practice?