Practice - 5 Tasks
Answer the questions below
1fill in blank
easyComplete the code to enable the Pod Security Admission controller in the API server manifest.
Kubernetes
spec:
containers:
- name: kube-apiserver
command:
- kube-apiserver
- --enable-admission-plugins=[1] Drag options to blanks, or click blank then click option'
Attempts:
3 left
💡 Hint
Common Mistakes
Using other admission plugins like NodeRestriction instead of PodSecurity.
Forgetting to add the plugin to the --enable-admission-plugins flag.
✗ Incorrect
The Pod Security Admission controller is enabled by adding 'PodSecurity' to the --enable-admission-plugins flag in the kube-apiserver manifest.
2fill in blank
mediumComplete the command to label a namespace for enforcing the 'restricted' Pod Security standard.
Kubernetes
kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=[1] Drag options to blanks, or click blank then click option'
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'privileged' which is the least secure profile.
Using 'baseline' which is less strict than 'restricted'.
✗ Incorrect
To enforce the 'restricted' Pod Security standard, label the namespace with 'pod-security.kubernetes.io/enforce=restricted'.
3fill in blank
hardFix the error in the label command to audit the 'baseline' Pod Security standard on a namespace.
Kubernetes
kubectl label namespace test-namespace pod-security.kubernetes.io/audit=[1] Drag options to blanks, or click blank then click option'
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'enforce' as a label value instead of a profile name.
Using 'restricted' when the task asks for 'baseline'.
✗ Incorrect
To audit the 'baseline' Pod Security standard, use the label 'pod-security.kubernetes.io/audit=baseline'.
4fill in blank
hardFill both blanks to configure the Pod Security Admission controller to audit and warn on the 'privileged' profile.
Kubernetes
kubectl label namespace dev-namespace pod-security.kubernetes.io/audit=[1] pod-security.kubernetes.io/warn=[2]
Drag options to blanks, or click blank then click option'
Attempts:
3 left
💡 Hint
Common Mistakes
Mixing different profile names for audit and warn labels.
Using invalid profile names like 'unconfined'.
✗ Incorrect
To audit and warn on the 'privileged' profile, set both labels to 'privileged'.
5fill in blank
hardFill all three blanks to create a Pod Security label set that enforces 'restricted', warns 'baseline', and audits 'privileged' profiles on a namespace.
Kubernetes
kubectl label namespace secure-ns pod-security.kubernetes.io/enforce=[1] pod-security.kubernetes.io/warn=[2] pod-security.kubernetes.io/audit=[3]
Drag options to blanks, or click blank then click option'
Attempts:
3 left
💡 Hint
Common Mistakes
Using the same profile for all three labels.
Using 'unconfined' which is not a valid profile.
✗ Incorrect
Set enforce to 'restricted', warn to 'baseline', and audit to 'privileged' to apply increasing levels of security checks.