Bird
Raised Fist0
Kubernetesdevops~30 mins

Pod security standards in Kubernetes - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Enforce Pod Security Standards in Kubernetes
📖 Scenario: You are a DevOps engineer managing a Kubernetes cluster for a small company. Your team wants to improve security by enforcing Pod Security Standards on namespaces to control what pods can do.Pod Security Standards help prevent risky pod configurations that could harm the cluster or leak data.
🎯 Goal: Learn how to create a namespace, add a Pod Security Admission label to enforce the restricted policy, and verify that pods comply with this security standard.
📋 What You'll Learn
Create a Kubernetes namespace called secure-app
Add a Pod Security Admission label to the namespace to enforce the restricted policy at enforce level
Deploy a pod manifest that complies with the restricted policy
Verify the pod runs successfully under the enforced policy
💡 Why This Matters
🌍 Real World
Pod Security Standards help teams prevent risky pod configurations that could lead to security breaches or unstable clusters.
💼 Career
Understanding how to enforce Pod Security Standards is essential for Kubernetes administrators and DevOps engineers to maintain secure and compliant clusters.
Progress0 / 4 steps
1
Create the Kubernetes namespace
Create a Kubernetes namespace called secure-app using the kubectl command.
Kubernetes
Hint

Use kubectl create namespace secure-app to create the namespace.

2
Add Pod Security Admission label to enforce restricted policy
Add the label pod-security.kubernetes.io/enforce=restricted to the secure-app namespace using kubectl label namespace.
Kubernetes
Hint

Use kubectl label namespace secure-app pod-security.kubernetes.io/enforce=restricted to add the label.

3
Deploy a pod manifest that complies with restricted policy
Create a pod manifest YAML file named restricted-pod.yaml with a pod named restricted-pod in the secure-app namespace. Use the nginx image and ensure the pod does not run as root (set runAsNonRoot: true under securityContext).
Kubernetes
Hint

Make sure the pod manifest includes runAsNonRoot: true under securityContext and uses the nginx image.

4
Deploy the pod and verify it runs successfully
Apply the pod manifest restricted-pod.yaml using kubectl apply -f restricted-pod.yaml. Then check the pod status in the secure-app namespace with kubectl get pods -n secure-app and print the pod name and status.
Kubernetes
Hint

Use kubectl apply -f restricted-pod.yaml to deploy and kubectl get pods -n secure-app to check status.

Practice

(1/5)
1. What is the main purpose of Kubernetes Pod Security Standards?
easy
A. To control pod permissions and prevent risky behaviors
B. To increase pod resource limits automatically
C. To schedule pods on specific nodes
D. To monitor pod network traffic

Solution

  1. Step 1: Understand Pod Security Standards

    Pod Security Standards define rules to restrict pod permissions and behaviors.

  2. Step 2: Identify the main goal

    The goal is to prevent risky pod behaviors like running as root or privileged mode.

  3. Final Answer:

    To control pod permissions and prevent risky behaviors -> Option A

  4. Quick Check:

    Pod Security Standards = Control permissions [OK]
Hint: Pod Security Standards limit pod permissions to keep cluster safe [OK]
Common Mistakes:
  • Confusing security standards with resource management
  • Thinking it schedules pods on nodes
  • Assuming it monitors network traffic
2. Which of the following is the correct way to label a namespace to enforce the 'restricted' Pod Security Standard in Kubernetes?
easy
A. kubectl set security namespace myns restricted
B. kubectl label pod mypod pod-security.kubernetes.io/enforce=restricted
C. kubectl annotate namespace myns pod-security.kubernetes.io/enforce=restricted
D. kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted

Solution

  1. Step 1: Identify correct resource and command

    Pod Security Standards are enforced by labeling namespaces, not pods.

  2. Step 2: Check correct syntax for labeling namespace

    The correct command is 'kubectl label namespace <name> pod-security.kubernetes.io/enforce=restricted'.

  3. Final Answer:

    kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted -> Option D

  4. Quick Check:

    Label namespace with enforce=restricted [OK]
Hint: Label namespaces, not pods, to enforce Pod Security Standards [OK]
Common Mistakes:
  • Labeling pods instead of namespaces
  • Using annotate instead of label
  • Using invalid kubectl commands
3. Given this pod spec snippet, which Pod Security Standard will it most likely violate? 
{
  "securityContext": {
    "runAsUser": 0,
    "privileged": true
  }
}
medium
A. Baseline
B. Restricted
C. Privileged
D. None

Solution

  1. Step 1: Analyze pod securityContext

    The pod runs as user 0 (root) and uses privileged mode, which is risky.

  2. Step 2: Match with Pod Security Standards

    Restricted standard forbids running as root and privileged mode, so this pod violates Restricted.

  3. Final Answer:

    Restricted -> Option B

  4. Quick Check:

    Root + privileged = violates Restricted [OK]
Hint: Root user and privileged mode break Restricted standard [OK]
Common Mistakes:
  • Confusing Baseline and Restricted standards
  • Thinking privileged mode is allowed in Restricted
  • Assuming no violation if pod runs as root
4. You labeled a namespace with pod-security.kubernetes.io/enforce=restricted, but pods running as root are still allowed. What is the most likely reason?
medium
A. The Pod Security Admission controller is not enabled in the cluster
B. The label was applied to the pod instead of the namespace
C. The pod spec is missing the securityContext field
D. The namespace label should be 'pod-security.kubernetes.io/warn=restricted'

Solution

  1. Step 1: Understand enforcement mechanism

    Pod Security Standards enforcement requires the Pod Security Admission controller enabled in the cluster.

  2. Step 2: Check other options

    Labeling pod instead of namespace or missing securityContext won't bypass enforcement if controller is active. Warning label only warns, does not enforce.

  3. Final Answer:

    The Pod Security Admission controller is not enabled in the cluster -> Option A

  4. Quick Check:

    Admission controller must be enabled for enforcement [OK]
Hint: Enforcement needs admission controller enabled [OK]
Common Mistakes:
  • Applying label to pod instead of namespace
  • Confusing warn label with enforce label
  • Assuming missing securityContext disables enforcement
5. You want to enforce the 'baseline' Pod Security Standard but allow some pods to run as root for legacy reasons. Which approach best balances security and flexibility?
hard
A. Disable Pod Security Admission controller and manually review pods
B. Label the namespace with 'pod-security.kubernetes.io/enforce=restricted' and remove root user from all pods
C. Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods
D. Label each pod with 'pod-security.kubernetes.io/enforce=baseline' individually

Solution

  1. Step 1: Understand baseline enforcement with exceptions

    Baseline standard is less strict than restricted and allows some flexibility.

  2. Step 2: Use exceptions for legacy pods

    Pod Security Exceptions allow specific pods to bypass some rules while enforcing baseline on the namespace.

  3. Step 3: Evaluate other options

    Restricted is stricter, disabling admission controller removes security, labeling pods individually is not standard practice.

  4. Final Answer:

    Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods -> Option C

  5. Quick Check:

    Baseline + exceptions = balance security and legacy needs [OK]
Hint: Use baseline label plus exceptions for legacy pods [OK]
Common Mistakes:
  • Using restricted standard which is too strict
  • Disabling admission controller reduces security
  • Labeling pods individually instead of namespace