You want to enforce the 'restricted' Pod Security Standard on a namespace but allow pods to use a specific hostPath volume for logging. How can you achieve this?

hard📝 Workflow Q8 of 15

Kubernetes - RBAC and Security

ALabel the namespace with 'restricted' and create an exception using a Pod Security Admission webhook

BSet the namespace label to 'baseline' to allow hostPath volumes

CRemove Pod Security Standards enforcement and rely on manual audits

DUse a privileged Pod Security Standard to allow all hostPath volumes

Step-by-Step Solution

Solution:

Step 1: Understand restricted policy and exceptions
Restricted forbids hostPath volumes, but exceptions can be made via admission webhooks.
Step 2: Apply restricted label with exception
Label namespace as restricted and configure a Pod Security Admission webhook to allow specific hostPath usage.
Final Answer:
Label the namespace with 'restricted' and create an exception using a Pod Security Admission webhook -> Option A
Quick Check:
Restricted + webhook exception = allow specific hostPath [OK]

Quick Trick: Use admission webhook for exceptions in restricted policy [OK]

Common Mistakes:

Downgrading to baseline to allow hostPath
Disabling enforcement instead of exceptions
Using privileged policy unnecessarily

Master "RBAC and Security" in Kubernetes

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More Kubernetes Quizzes

You want to enforce the 'restricted' Pod Security Standard on a namespace but allow pods to use a specific hostPath volume for logging. How can you achieve this?

Step 1: Understand restricted policy and exceptions

Step 2: Apply restricted label with exception

Final Answer:

Quick Check:

Want More Practice?