Bird
Raised Fist0
Kubernetesdevops~10 mins

Pod security standards in Kubernetes - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to specify the Pod Security Standard level in the namespace annotation.

Kubernetes
apiVersion: v1
kind: Namespace
metadata:
  name: secure-namespace
  annotations:
    pod-security.kubernetes.io/enforce: [1]
Drag options to blanks, or click blank then click option'
Arestricted
Bprivileged
Cbaseline
Dnone
Attempts:
3 left
💡 Hint
Common Mistakes
Choosing 'privileged' which allows more permissions than desired.
2fill in blank
medium

Complete the code to set the audit level for Pod Security Standards in the namespace annotation.

Kubernetes
apiVersion: v1
kind: Namespace
metadata:
  name: audit-namespace
  annotations:
    pod-security.kubernetes.io/audit: [1]
Drag options to blanks, or click blank then click option'
Arestricted
Bnone
Cprivileged
Dbaseline
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'privileged' which is too permissive for audit.
3fill in blank
hard

Fix the error in the Pod Security Standard annotation key to enforce the baseline policy.

Kubernetes
apiVersion: v1
kind: Namespace
metadata:
  name: baseline-namespace
  annotations:
    pod-security.kubernetes.io/enforce: [1]
Drag options to blanks, or click blank then click option'
Aprivileged
Brestricted
Cbaseline
Dnone
Attempts:
3 left
💡 Hint
Common Mistakes
Using incorrect annotation keys like 'enforce-baseline'.
4fill in blank
hard

Fill both blanks to set the enforce and warn levels for Pod Security Standards in a namespace.

Kubernetes
apiVersion: v1
kind: Namespace
metadata:
  name: mixed-namespace
  annotations:
    pod-security.kubernetes.io/enforce: [1]
    pod-security.kubernetes.io/warn: [2]
Drag options to blanks, or click blank then click option'
Arestricted
Bbaseline
Cprivileged
Dnone
Attempts:
3 left
💡 Hint
Common Mistakes
Setting both enforce and warn to the same level.
5fill in blank
hard

Fill all three blanks to create a Pod Security Standard policy with enforce, warn, and audit levels.

Kubernetes
apiVersion: v1
kind: Namespace
metadata:
  name: full-policy-namespace
  annotations:
    pod-security.kubernetes.io/enforce: [1]
    pod-security.kubernetes.io/warn: [2]
    pod-security.kubernetes.io/audit: [3]
Drag options to blanks, or click blank then click option'
Arestricted
Bbaseline
Cprivileged
Dnone
Attempts:
3 left
💡 Hint
Common Mistakes
Mixing up the order of enforce, warn, and audit levels.

Practice

(1/5)
1. What is the main purpose of Kubernetes Pod Security Standards?
easy
A. To control pod permissions and prevent risky behaviors
B. To increase pod resource limits automatically
C. To schedule pods on specific nodes
D. To monitor pod network traffic

Solution

  1. Step 1: Understand Pod Security Standards

    Pod Security Standards define rules to restrict pod permissions and behaviors.

  2. Step 2: Identify the main goal

    The goal is to prevent risky pod behaviors like running as root or privileged mode.

  3. Final Answer:

    To control pod permissions and prevent risky behaviors -> Option A

  4. Quick Check:

    Pod Security Standards = Control permissions [OK]
Hint: Pod Security Standards limit pod permissions to keep cluster safe [OK]
Common Mistakes:
  • Confusing security standards with resource management
  • Thinking it schedules pods on nodes
  • Assuming it monitors network traffic
2. Which of the following is the correct way to label a namespace to enforce the 'restricted' Pod Security Standard in Kubernetes?
easy
A. kubectl set security namespace myns restricted
B. kubectl label pod mypod pod-security.kubernetes.io/enforce=restricted
C. kubectl annotate namespace myns pod-security.kubernetes.io/enforce=restricted
D. kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted

Solution

  1. Step 1: Identify correct resource and command

    Pod Security Standards are enforced by labeling namespaces, not pods.

  2. Step 2: Check correct syntax for labeling namespace

    The correct command is 'kubectl label namespace <name> pod-security.kubernetes.io/enforce=restricted'.

  3. Final Answer:

    kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted -> Option D

  4. Quick Check:

    Label namespace with enforce=restricted [OK]
Hint: Label namespaces, not pods, to enforce Pod Security Standards [OK]
Common Mistakes:
  • Labeling pods instead of namespaces
  • Using annotate instead of label
  • Using invalid kubectl commands
3. Given this pod spec snippet, which Pod Security Standard will it most likely violate? 
{
  "securityContext": {
    "runAsUser": 0,
    "privileged": true
  }
}
medium
A. Baseline
B. Restricted
C. Privileged
D. None

Solution

  1. Step 1: Analyze pod securityContext

    The pod runs as user 0 (root) and uses privileged mode, which is risky.

  2. Step 2: Match with Pod Security Standards

    Restricted standard forbids running as root and privileged mode, so this pod violates Restricted.

  3. Final Answer:

    Restricted -> Option B

  4. Quick Check:

    Root + privileged = violates Restricted [OK]
Hint: Root user and privileged mode break Restricted standard [OK]
Common Mistakes:
  • Confusing Baseline and Restricted standards
  • Thinking privileged mode is allowed in Restricted
  • Assuming no violation if pod runs as root
4. You labeled a namespace with pod-security.kubernetes.io/enforce=restricted, but pods running as root are still allowed. What is the most likely reason?
medium
A. The Pod Security Admission controller is not enabled in the cluster
B. The label was applied to the pod instead of the namespace
C. The pod spec is missing the securityContext field
D. The namespace label should be 'pod-security.kubernetes.io/warn=restricted'

Solution

  1. Step 1: Understand enforcement mechanism

    Pod Security Standards enforcement requires the Pod Security Admission controller enabled in the cluster.

  2. Step 2: Check other options

    Labeling pod instead of namespace or missing securityContext won't bypass enforcement if controller is active. Warning label only warns, does not enforce.

  3. Final Answer:

    The Pod Security Admission controller is not enabled in the cluster -> Option A

  4. Quick Check:

    Admission controller must be enabled for enforcement [OK]
Hint: Enforcement needs admission controller enabled [OK]
Common Mistakes:
  • Applying label to pod instead of namespace
  • Confusing warn label with enforce label
  • Assuming missing securityContext disables enforcement
5. You want to enforce the 'baseline' Pod Security Standard but allow some pods to run as root for legacy reasons. Which approach best balances security and flexibility?
hard
A. Disable Pod Security Admission controller and manually review pods
B. Label the namespace with 'pod-security.kubernetes.io/enforce=restricted' and remove root user from all pods
C. Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods
D. Label each pod with 'pod-security.kubernetes.io/enforce=baseline' individually

Solution

  1. Step 1: Understand baseline enforcement with exceptions

    Baseline standard is less strict than restricted and allows some flexibility.

  2. Step 2: Use exceptions for legacy pods

    Pod Security Exceptions allow specific pods to bypass some rules while enforcing baseline on the namespace.

  3. Step 3: Evaluate other options

    Restricted is stricter, disabling admission controller removes security, labeling pods individually is not standard practice.

  4. Final Answer:

    Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods -> Option C

  5. Quick Check:

    Baseline + exceptions = balance security and legacy needs [OK]
Hint: Use baseline label plus exceptions for legacy pods [OK]
Common Mistakes:
  • Using restricted standard which is too strict
  • Disabling admission controller reduces security
  • Labeling pods individually instead of namespace