Bird
Raised Fist0
Kubernetesdevops~5 mins

Pod security standards in Kubernetes - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What are Pod Security Standards in Kubernetes?
Pod Security Standards are predefined security profiles that help control the security settings of pods to protect the cluster from unsafe configurations.
Click to reveal answer
beginner
Name the three main Pod Security Standards profiles.
The three main profiles are: Privileged, Baseline, and Restricted. Each defines different levels of security restrictions for pods.
Click to reveal answer
intermediate
What does the 'Restricted' Pod Security Standard profile enforce?
The Restricted profile enforces the highest security level by limiting permissions and capabilities, preventing privilege escalation, and enforcing strict policies.
Click to reveal answer
intermediate
How can Pod Security Standards be applied in a Kubernetes cluster?
They can be applied using the Pod Security Admission Controller to enforce security profiles on pods during creation or update.
Click to reveal answer
beginner
Why is it important to use Pod Security Standards?
Using Pod Security Standards helps prevent security risks like privilege escalation, unauthorized access, and unsafe container configurations, protecting the cluster and workloads.
Click to reveal answer
Which Pod Security Standard profile allows the most permissions?
ABaseline
BRestricted
CPrivileged
DNone
What tool in Kubernetes enforces Pod Security Standards during pod creation?
Aetcd
Bkubectl apply
Ckube-proxy
DPod Security Admission Controller
Which Pod Security Standard profile is recommended for most production workloads?
APrivileged
BBaseline
CRestricted
DNone
What is a key restriction in the Restricted Pod Security Standard?
ADisallowing privilege escalation
BNo restrictions
CAllowing all capabilities
DAllowing privilege escalation
Pod Security Standards help prevent which of the following?
AUnsafe container configurations
BFaster pod startup
CIncreased resource usage
DAutomatic scaling
Explain the differences between the Privileged, Baseline, and Restricted Pod Security Standard profiles.
Think about how each profile controls pod permissions and security.
You got /3 concepts.
    Describe how Pod Security Standards improve security in a Kubernetes cluster.
    Focus on the security risks these standards help to reduce.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of Kubernetes Pod Security Standards?
      easy
      A. To control pod permissions and prevent risky behaviors
      B. To increase pod resource limits automatically
      C. To schedule pods on specific nodes
      D. To monitor pod network traffic

      Solution

      1. Step 1: Understand Pod Security Standards

        Pod Security Standards define rules to restrict pod permissions and behaviors.

      2. Step 2: Identify the main goal

        The goal is to prevent risky pod behaviors like running as root or privileged mode.

      3. Final Answer:

        To control pod permissions and prevent risky behaviors -> Option A

      4. Quick Check:

        Pod Security Standards = Control permissions [OK]
      Hint: Pod Security Standards limit pod permissions to keep cluster safe [OK]
      Common Mistakes:
      • Confusing security standards with resource management
      • Thinking it schedules pods on nodes
      • Assuming it monitors network traffic
      2. Which of the following is the correct way to label a namespace to enforce the 'restricted' Pod Security Standard in Kubernetes?
      easy
      A. kubectl set security namespace myns restricted
      B. kubectl label pod mypod pod-security.kubernetes.io/enforce=restricted
      C. kubectl annotate namespace myns pod-security.kubernetes.io/enforce=restricted
      D. kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted

      Solution

      1. Step 1: Identify correct resource and command

        Pod Security Standards are enforced by labeling namespaces, not pods.

      2. Step 2: Check correct syntax for labeling namespace

        The correct command is 'kubectl label namespace <name> pod-security.kubernetes.io/enforce=restricted'.

      3. Final Answer:

        kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted -> Option D

      4. Quick Check:

        Label namespace with enforce=restricted [OK]
      Hint: Label namespaces, not pods, to enforce Pod Security Standards [OK]
      Common Mistakes:
      • Labeling pods instead of namespaces
      • Using annotate instead of label
      • Using invalid kubectl commands
      3. Given this pod spec snippet, which Pod Security Standard will it most likely violate? 
      {
  "securityContext": {
    "runAsUser": 0,
    "privileged": true
  }
}
      medium
      A. Baseline
      B. Restricted
      C. Privileged
      D. None

      Solution

      1. Step 1: Analyze pod securityContext

        The pod runs as user 0 (root) and uses privileged mode, which is risky.

      2. Step 2: Match with Pod Security Standards

        Restricted standard forbids running as root and privileged mode, so this pod violates Restricted.

      3. Final Answer:

        Restricted -> Option B

      4. Quick Check:

        Root + privileged = violates Restricted [OK]
      Hint: Root user and privileged mode break Restricted standard [OK]
      Common Mistakes:
      • Confusing Baseline and Restricted standards
      • Thinking privileged mode is allowed in Restricted
      • Assuming no violation if pod runs as root
      4. You labeled a namespace with pod-security.kubernetes.io/enforce=restricted, but pods running as root are still allowed. What is the most likely reason?
      medium
      A. The Pod Security Admission controller is not enabled in the cluster
      B. The label was applied to the pod instead of the namespace
      C. The pod spec is missing the securityContext field
      D. The namespace label should be 'pod-security.kubernetes.io/warn=restricted'

      Solution

      1. Step 1: Understand enforcement mechanism

        Pod Security Standards enforcement requires the Pod Security Admission controller enabled in the cluster.

      2. Step 2: Check other options

        Labeling pod instead of namespace or missing securityContext won't bypass enforcement if controller is active. Warning label only warns, does not enforce.

      3. Final Answer:

        The Pod Security Admission controller is not enabled in the cluster -> Option A

      4. Quick Check:

        Admission controller must be enabled for enforcement [OK]
      Hint: Enforcement needs admission controller enabled [OK]
      Common Mistakes:
      • Applying label to pod instead of namespace
      • Confusing warn label with enforce label
      • Assuming missing securityContext disables enforcement
      5. You want to enforce the 'baseline' Pod Security Standard but allow some pods to run as root for legacy reasons. Which approach best balances security and flexibility?
      hard
      A. Disable Pod Security Admission controller and manually review pods
      B. Label the namespace with 'pod-security.kubernetes.io/enforce=restricted' and remove root user from all pods
      C. Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods
      D. Label each pod with 'pod-security.kubernetes.io/enforce=baseline' individually

      Solution

      1. Step 1: Understand baseline enforcement with exceptions

        Baseline standard is less strict than restricted and allows some flexibility.

      2. Step 2: Use exceptions for legacy pods

        Pod Security Exceptions allow specific pods to bypass some rules while enforcing baseline on the namespace.

      3. Step 3: Evaluate other options

        Restricted is stricter, disabling admission controller removes security, labeling pods individually is not standard practice.

      4. Final Answer:

        Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods -> Option C

      5. Quick Check:

        Baseline + exceptions = balance security and legacy needs [OK]
      Hint: Use baseline label plus exceptions for legacy pods [OK]
      Common Mistakes:
      • Using restricted standard which is too strict
      • Disabling admission controller reduces security
      • Labeling pods individually instead of namespace