- Take me to the lab.
-
Information only.
Run the given command
-
There are different levels of Pod security standards. Identify the option that does not represent a valid Pod security standard from the following list.
Enforce
Restricted
Baseline
Privileged
Expand
The option that is not valid is
Enforce
-
We want to apply pod security on namespace
alpha
. To achieve that, add the following label to the namespacealpha
pod-security.kubernetes.io/warn=baseline
Expand
kubectl label ns alpha pod-security.kubernetes.io/warn=baseline
-
We have provided a manifest
baseline-pod.yaml
at the/root
location of the lab terminal.
Inspect it and create the pod using the manifest in thealpha
namespace.Note: You might see some warnings while applying manifest. Ignore them for now; we will cover them in next questions.
Expand
kubectl apply -n alpha -f /root/baseline-pod.yaml
-
Information only
-
How can a cluster administrator specify the configuration file path for the admission configuration resource in the API server?
Expand
In a Kubernetes cluster, the cluster administrator can specify the configuration file path for the admission configuration resource in the API server using the --admission-control-config-file flag.
This flag allows administrators to provide a file path that contains the configuration for admission controllers.
Bear in mind that this file is in the API server pod's file system, therefore you must mount it as a hostPath or configmap volume.
-
We can also use multiple pod security standards together for a single namespace.
For this step, label the namespacebeta
with theBaseline: enforce
andRestricted: warn
.Expand
kubectl label ns beta \ pod-security.kubernetes.io/enforce=baseline \ pod-security.kubernetes.io/warn=restricted
-
We have provided a manifest
multi-psa.yaml
at the/root
location of the lab terminal.
Inspect it and create the pod using the manifest in thebeta
namespace.Note: You might see some warnings while applying manifest. It is expected.
Expand
kubectl apply -n beta -f /root/multi-psa.yaml
-
Information only
-
We have provided an AdmissionConfiguration resource manifest at the
/root
location with nameadmission-configuration.yaml
.
Inspect the manifest file and select the correct statement on enforced policies and the restricted levels in the provided AdmissionConfiguration resource.Baseline: Warning ans Auditing, Restricted: Enforced and Auditing
Baseline: Enforced, Restricted: Enforced
Baseline: Auditing, Restricted: Enforced
Baseline: Enforced, Restricted: Autiting and Warnning
Expand
cat /root/admission-configuration.yaml
Yields the following. Comments added to this to indicate what you should be looking at
kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: enforce: baseline # <---- enforce-version: latest audit: restricted # <---- audit-version: latest warn: restricted # <---- warn-version: latest exemptions: usernames: [] runtimeClassNames: [] namespaces: [my-namespace]
Which gives the answer
Baseline: Enforced, Restricted: Autiting and Warnning
-
We have provided an AdmissionConfiguration resource manifest at the
/root
location with nameadmission-configuration.yaml
.
Which namespace is exempt from the policy enforced by the provided AdmissionConfiguration resource?default
my-namespace
kube-system
development
Expand
This is the same file as the previous question. Now look here...
kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: enforce: baseline enforce-version: latest audit: restricted audit-version: latest warn: restricted warn-version: latest exemptions: # <---- usernames: [] runtimeClassNames: [] namespaces: [my-namespace] # <----
...giving the answer
my-namespace