Kubernetesdevops~30 mins

Pod security standards in Kubernetes - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Enforce Pod Security Standards in Kubernetes

📖 Scenario: You are a DevOps engineer managing a Kubernetes cluster for a small company. Your team wants to improve security by enforcing Pod Security Standards on namespaces to control what pods can do.Pod Security Standards help prevent risky pod configurations that could harm the cluster or leak data.

🎯 Goal: Learn how to create a namespace, add a Pod Security Admission label to enforce the restricted policy, and verify that pods comply with this security standard.

📋 What You'll Learn

Create a Kubernetes namespace called secure-app

Add a Pod Security Admission label to the namespace to enforce the restricted policy at enforce level

Deploy a pod manifest that complies with the restricted policy

Verify the pod runs successfully under the enforced policy

💡 Why This Matters

🌍 Real World

Pod Security Standards help teams prevent risky pod configurations that could lead to security breaches or unstable clusters.

💼 Career

Understanding how to enforce Pod Security Standards is essential for Kubernetes administrators and DevOps engineers to maintain secure and compliant clusters.

Progress0 / 4 steps

Create the Kubernetes namespace

Create a Kubernetes namespace called secure-app using the kubectl command.

Kubernetes

# Create the namespace secure-app
# Your code here

Need a hint?

Use kubectl create namespace secure-app to create the namespace.

Add Pod Security Admission label to enforce restricted policy

Add the label pod-security.kubernetes.io/enforce=restricted to the secure-app namespace using kubectl label namespace.

Kubernetes

kubectl create namespace secure-app
# Add the pod security enforce label to secure-app namespace
# Your code here

Need a hint?

Use kubectl label namespace secure-app pod-security.kubernetes.io/enforce=restricted to add the label.

Deploy a pod manifest that complies with restricted policy

Create a pod manifest YAML file named restricted-pod.yaml with a pod named restricted-pod in the secure-app namespace. Use the nginx image and ensure the pod does not run as root (set runAsNonRoot: true under securityContext).

Kubernetes

kubectl create namespace secure-app
kubectl label namespace secure-app pod-security.kubernetes.io/enforce=restricted
# Create restricted-pod.yaml with the required pod manifest
# Your code here

Need a hint?

Make sure the pod manifest includes runAsNonRoot: true under securityContext and uses the nginx image.

Deploy the pod and verify it runs successfully

Apply the pod manifest restricted-pod.yaml using kubectl apply -f restricted-pod.yaml. Then check the pod status in the secure-app namespace with kubectl get pods -n secure-app and print the pod name and status.

Kubernetes

kubectl create namespace secure-app
kubectl label namespace secure-app pod-security.kubernetes.io/enforce=restricted

apiVersion: v1
kind: Pod
metadata:
  name: restricted-pod
  namespace: secure-app
spec:
  securityContext:
    runAsNonRoot: true
  containers:
  - name: nginx
    image: nginx

# Apply the pod manifest and check pod status
# Your code here

Need a hint?

Use kubectl apply -f restricted-pod.yaml to deploy and kubectl get pods -n secure-app to check status.