Skip to content

Latest commit

 

History

History
184 lines (134 loc) · 5.64 KB

File metadata and controls

184 lines (134 loc) · 5.64 KB

Labs - Pod Security Admission

  • Take me to the lab.
  1. Information only.

    Run the given command

  2. There are different levels of Pod security standards. Identify the option that does not represent a valid Pod security standard from the following list.
    • Enforce
    • Restricted
    • Baseline
    • Privileged
    Expand

    The option that is not valid is Enforce

  3. We want to apply pod security on namespace alpha. To achieve that, add the following label to the namespace alpha
    pod-security.kubernetes.io/warn=baseline
    
    Expand
    kubectl label ns alpha pod-security.kubernetes.io/warn=baseline
    
  4. We have provided a manifest baseline-pod.yaml at the /root location of the lab terminal.
    Inspect it and create the pod using the manifest in the alpha namespace.

    Note: You might see some warnings while applying manifest. Ignore them for now; we will cover them in next questions.

    Expand
    kubectl apply -n alpha -f /root/baseline-pod.yaml
    
  5. Information only

  6. How can a cluster administrator specify the configuration file path for the admission configuration resource in the API server?
    Expand

    In a Kubernetes cluster, the cluster administrator can specify the configuration file path for the admission configuration resource in the API server using the --admission-control-config-file flag.

    This flag allows administrators to provide a file path that contains the configuration for admission controllers.

    Bear in mind that this file is in the API server pod's file system, therefore you must mount it as a hostPath or configmap volume.

  7. We can also use multiple pod security standards together for a single namespace.
    For this step, label the namespace beta with the Baseline: enforce and Restricted: warn.
    Expand
    kubectl label ns beta \
        pod-security.kubernetes.io/enforce=baseline \
        pod-security.kubernetes.io/warn=restricted
    
  8. We have provided a manifest multi-psa.yaml at the /root location of the lab terminal.
    Inspect it and create the pod using the manifest in the beta namespace.

    Note: You might see some warnings while applying manifest. It is expected.

    Expand
    kubectl apply -n beta -f /root/multi-psa.yaml
    
  9. Information only

  10. We have provided an AdmissionConfiguration resource manifest at the /root location with name admission-configuration.yaml.
    Inspect the manifest file and select the correct statement on enforced policies and the restricted levels in the provided AdmissionConfiguration resource.
    • Baseline: Warning ans Auditing, Restricted: Enforced and Auditing
    • Baseline: Enforced, Restricted: Enforced
    • Baseline: Auditing, Restricted: Enforced
    • Baseline: Enforced, Restricted: Autiting and Warnning
    Expand
    cat /root/admission-configuration.yaml

    Yields the following. Comments added to this to indicate what you should be looking at

    kind: AdmissionConfiguration
    plugins:
    - name: PodSecurity
        configuration:
        apiVersion: pod-security.admission.config.k8s.io/v1
        kind: PodSecurityConfiguration
        defaults:
            enforce: baseline           # <----
            enforce-version: latest
            audit: restricted           # <----
            audit-version: latest
            warn: restricted            # <----
            warn-version: latest
        exemptions:
            usernames: []
            runtimeClassNames: []
            namespaces: [my-namespace]

    Which gives the answer Baseline: Enforced, Restricted: Autiting and Warnning

  11. We have provided an AdmissionConfiguration resource manifest at the /root location with name admission-configuration.yaml.
    Which namespace is exempt from the policy enforced by the provided AdmissionConfiguration resource?
    • default
    • my-namespace
    • kube-system
    • development
    Expand

    This is the same file as the previous question. Now look here...

    kind: AdmissionConfiguration
    plugins:
    - name: PodSecurity
        configuration:
        apiVersion: pod-security.admission.config.k8s.io/v1
        kind: PodSecurityConfiguration
        defaults:
            enforce: baseline
            enforce-version: latest
            audit: restricted
            audit-version: latest
            warn: restricted
            warn-version: latest
        exemptions:                     # <----
            usernames: []
            runtimeClassNames: []
            namespaces: [my-namespace]  # <----

    ...giving the answer my-namespace