0
0
Kubernetesdevops~20 mins

Pod security standards in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Pod Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding Pod Security Standards Levels
Which of the following best describes the restricted Pod Security Standard level in Kubernetes?
AAllows all privileges and capabilities, suitable for trusted workloads.
BAllows some privileges but restricts host networking and volume types.
COnly restricts container image sources but allows all capabilities.
DDisallows privileged containers and host namespaces, enforcing strict security.
Attempts:
2 left
💡 Hint
Think about the strictest security level that blocks privileged access.
💻 Command Output
intermediate
1:00remaining
Output of Applying a Pod Security Admission Label
What is the output when you run the following command to label a namespace for the baseline Pod Security Standard enforcement? 
kubectl label namespace dev pod-security.kubernetes.io/enforce=baseline
AError from server (NotFound): namespaces "dev" not found
Bnamespace/dev labeled
CWarning: label pod-security.kubernetes.io/enforce already exists
DNo resources labeled
Attempts:
2 left
💡 Hint
Check if the namespace exists before labeling.
Configuration
advanced
2:00remaining
Correct Pod Security Admission Configuration in Namespace YAML
Which snippet correctly configures a namespace YAML manifest to enforce the restricted Pod Security Standard at the enforce level?
A
metadata:
  name: secure-ns
  annotations:
    pod-security.kubernetes.io/enforce-level: restricted
B
metadata:
  name: secure-ns
  labels:
    pod-security.kubernetes.io/enforce-level: restricted
C
metadata:
  name: secure-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
D
metadata:
  name: secure-ns
  annotations:
    pod-security.kubernetes.io/enforce: restricted
Attempts:
2 left
💡 Hint
Pod Security Admission uses labels, not annotations, for enforcement.
Troubleshoot
advanced
2:00remaining
Troubleshooting Pod Creation Failure Due to Pod Security Admission
A developer tries to create a pod in a namespace labeled with pod-security.kubernetes.io/enforce=restricted but gets an error. Which of the following pod specs is most likely causing the failure?
Kubernetes
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      privileged: true
AThe pod uses a privileged container which is disallowed by the restricted policy.
BThe pod image nginx is not allowed in restricted mode.
CThe pod lacks resource limits causing the failure.
DThe pod is missing a service account annotation.
Attempts:
2 left
💡 Hint
Restricted policy blocks privileged containers.
Best Practice
expert
2:30remaining
Best Practice for Gradual Pod Security Standard Adoption
You want to gradually enforce Pod Security Standards in a large cluster without breaking existing workloads immediately. Which approach is best?
AUse <code>pod-security.kubernetes.io/warn=baseline</code> labels first to audit violations before enforcing.
BLabel all namespaces with <code>pod-security.kubernetes.io/enforce=restricted</code> at once.
CRemove all Pod Security Admission controllers to avoid enforcement issues.
DManually edit each pod to comply before applying any namespace labels.
Attempts:
2 left
💡 Hint
Start by warning to identify issues before blocking pods.