Bird
Raised Fist0
Kubernetesdevops~10 mins

Pod security standards in Kubernetes - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Pod security standards
Pod Creation Request
Check Pod Security Standards
Pass
Pod Runs
When a pod is created, Kubernetes checks its security settings against defined standards. If it passes, the pod runs; if not, it is rejected or warned.
Execution Sample
Kubernetes
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
This YAML defines a Pod Security Policy that disallows privileged pods.
Process Table
StepPod Security CheckPod Spec FieldCheck ResultAction Taken
1Check privileged flagprivileged: falsePassContinue checking
2Check hostNetwork usagehostNetwork: falsePassContinue checking
3Check volume typesvolumes: emptyDirPassContinue checking
4Check runAsUserrunAsUser: MustRunAsNonRootPassPod allowed
5Final decision--Pod runs successfully
💡 All security checks passed, pod is allowed to run
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
privilegedundefinedfalsefalsefalsefalsefalse
hostNetworkundefinedundefinedfalsefalsefalsefalse
volumesundefinedundefinedundefinedemptyDiremptyDiremptyDir
runAsUserundefinedundefinedundefinedundefinedMustRunAsNonRootMustRunAsNonRoot
podAllowedfalsefalsefalsefalsetruetrue
Key Moments - 3 Insights
Why does the pod get rejected if 'privileged' is true?
Because the Pod Security Standard requires 'privileged' to be false for restricted pods, as shown in step 1 of the execution table where 'privileged: false' passes the check.
What happens if the pod uses hostNetwork: true?
The pod fails the security check at step 2 because hostNetwork must be false to meet the standard, preventing the pod from running.
Why is 'runAsUser: MustRunAsNonRoot' important?
It ensures the pod does not run as root, increasing security. Step 4 shows this check passing, allowing the pod to run.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the result of the privileged flag check at step 1?
AFail
BPass
CSkipped
DWarning
💡 Hint
Refer to the 'Check Result' column in row for step 1 in the execution table.
At which step does the pod get allowed to run?
AStep 4
BStep 5
CStep 2
DStep 3
💡 Hint
Look at the 'Action Taken' column to find when 'Pod allowed' appears.
If the pod used 'hostNetwork: true', what would change in the execution table?
AStep 1 would fail the check
BStep 4 would fail the check
CStep 2 would fail the check
DNo change, pod still allowed
💡 Hint
Check the 'Pod Spec Field' and 'Check Result' columns for step 2.
Concept Snapshot
Pod Security Standards check pod specs on creation.
Key fields: privileged=false, hostNetwork=false, runAsUser=non-root.
Pods passing all checks are allowed to run.
Pods failing are rejected or warned.
This protects cluster security by enforcing safe defaults.
Full Transcript
Pod security standards in Kubernetes ensure pods meet security rules before running. When a pod is created, Kubernetes checks fields like 'privileged', 'hostNetwork', and 'runAsUser'. If all checks pass, the pod runs. If any check fails, the pod is rejected or warned. For example, privileged mode must be false to prevent pods from having too many permissions. Host network usage is also restricted. Running as non-root user is enforced. These checks protect the cluster from unsafe pod configurations.

Practice

(1/5)
1. What is the main purpose of Kubernetes Pod Security Standards?
easy
A. To control pod permissions and prevent risky behaviors
B. To increase pod resource limits automatically
C. To schedule pods on specific nodes
D. To monitor pod network traffic

Solution

  1. Step 1: Understand Pod Security Standards

    Pod Security Standards define rules to restrict pod permissions and behaviors.

  2. Step 2: Identify the main goal

    The goal is to prevent risky pod behaviors like running as root or privileged mode.

  3. Final Answer:

    To control pod permissions and prevent risky behaviors -> Option A

  4. Quick Check:

    Pod Security Standards = Control permissions [OK]
Hint: Pod Security Standards limit pod permissions to keep cluster safe [OK]
Common Mistakes:
  • Confusing security standards with resource management
  • Thinking it schedules pods on nodes
  • Assuming it monitors network traffic
2. Which of the following is the correct way to label a namespace to enforce the 'restricted' Pod Security Standard in Kubernetes?
easy
A. kubectl set security namespace myns restricted
B. kubectl label pod mypod pod-security.kubernetes.io/enforce=restricted
C. kubectl annotate namespace myns pod-security.kubernetes.io/enforce=restricted
D. kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted

Solution

  1. Step 1: Identify correct resource and command

    Pod Security Standards are enforced by labeling namespaces, not pods.

  2. Step 2: Check correct syntax for labeling namespace

    The correct command is 'kubectl label namespace <name> pod-security.kubernetes.io/enforce=restricted'.

  3. Final Answer:

    kubectl label namespace myns pod-security.kubernetes.io/enforce=restricted -> Option D

  4. Quick Check:

    Label namespace with enforce=restricted [OK]
Hint: Label namespaces, not pods, to enforce Pod Security Standards [OK]
Common Mistakes:
  • Labeling pods instead of namespaces
  • Using annotate instead of label
  • Using invalid kubectl commands
3. Given this pod spec snippet, which Pod Security Standard will it most likely violate? 
{
  "securityContext": {
    "runAsUser": 0,
    "privileged": true
  }
}
medium
A. Baseline
B. Restricted
C. Privileged
D. None

Solution

  1. Step 1: Analyze pod securityContext

    The pod runs as user 0 (root) and uses privileged mode, which is risky.

  2. Step 2: Match with Pod Security Standards

    Restricted standard forbids running as root and privileged mode, so this pod violates Restricted.

  3. Final Answer:

    Restricted -> Option B

  4. Quick Check:

    Root + privileged = violates Restricted [OK]
Hint: Root user and privileged mode break Restricted standard [OK]
Common Mistakes:
  • Confusing Baseline and Restricted standards
  • Thinking privileged mode is allowed in Restricted
  • Assuming no violation if pod runs as root
4. You labeled a namespace with pod-security.kubernetes.io/enforce=restricted, but pods running as root are still allowed. What is the most likely reason?
medium
A. The Pod Security Admission controller is not enabled in the cluster
B. The label was applied to the pod instead of the namespace
C. The pod spec is missing the securityContext field
D. The namespace label should be 'pod-security.kubernetes.io/warn=restricted'

Solution

  1. Step 1: Understand enforcement mechanism

    Pod Security Standards enforcement requires the Pod Security Admission controller enabled in the cluster.

  2. Step 2: Check other options

    Labeling pod instead of namespace or missing securityContext won't bypass enforcement if controller is active. Warning label only warns, does not enforce.

  3. Final Answer:

    The Pod Security Admission controller is not enabled in the cluster -> Option A

  4. Quick Check:

    Admission controller must be enabled for enforcement [OK]
Hint: Enforcement needs admission controller enabled [OK]
Common Mistakes:
  • Applying label to pod instead of namespace
  • Confusing warn label with enforce label
  • Assuming missing securityContext disables enforcement
5. You want to enforce the 'baseline' Pod Security Standard but allow some pods to run as root for legacy reasons. Which approach best balances security and flexibility?
hard
A. Disable Pod Security Admission controller and manually review pods
B. Label the namespace with 'pod-security.kubernetes.io/enforce=restricted' and remove root user from all pods
C. Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods
D. Label each pod with 'pod-security.kubernetes.io/enforce=baseline' individually

Solution

  1. Step 1: Understand baseline enforcement with exceptions

    Baseline standard is less strict than restricted and allows some flexibility.

  2. Step 2: Use exceptions for legacy pods

    Pod Security Exceptions allow specific pods to bypass some rules while enforcing baseline on the namespace.

  3. Step 3: Evaluate other options

    Restricted is stricter, disabling admission controller removes security, labeling pods individually is not standard practice.

  4. Final Answer:

    Label the namespace with 'pod-security.kubernetes.io/enforce=baseline' and use Pod Security Exceptions for specific pods -> Option C

  5. Quick Check:

    Baseline + exceptions = balance security and legacy needs [OK]
Hint: Use baseline label plus exceptions for legacy pods [OK]
Common Mistakes:
  • Using restricted standard which is too strict
  • Disabling admission controller reduces security
  • Labeling pods individually instead of namespace