Skip to content

Pod Security Admission Lab #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bmppa wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Pod Security Admission Lab #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6d81923
added folder for day 5
bmppa Nov 17, 2025
9e3bf72
updated folder structure
bmppa Nov 17, 2025
91bb1aa
updated README file for day 5
bmppa Nov 17, 2025
a48eba6
updated README file with cleanup section
bmppa Nov 17, 2025
dc3478b
formated README file
bmppa Dec 14, 2025
176b6f4
updated folder
bmppa Dec 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions day-028/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# Day 28: Pod Security Admission

## THE IDEA:
This lab will show you how to:

1. Enable PSA on a namespace
2. Attempt to deploy a non-compliant pod
3. Modify the pod to comply with the `restricted` profile

## THE SETUP:

A cluster running Kubernetes v1.25 or above.

## WHAT I LEARNED:
Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards.
Pod security restrictions are applied at the namespace level when pods are created.

## WHY IT MATTERS:
Kubernetes can block risky workloads before they run, using the native PSA — no 3rd party tools needed!
Good for quick, standard security posture enforcement.

TRY IT:
🧪 Interactive Lab: https://killercoda.com/chadmcrowell/course/kubeskills-daily/day-028

---

### ✅ **Step 1: Create a namespace with PSA labels**

PSA is enforced via labels on the namespace.

```yaml
apiVersion: v1
kind: Namespace
metadata:
name: psa-lab
labels:
pod-security.kubernetes.io/enforce: "restricted"
pod-security.kubernetes.io/enforce-version: "latest"
```

Apply it:

```bash
kubectl apply -f namespace.yaml
```

---

### 🚫 **Step 2: Try deploying a non-compliant privileged Pod**

This pod will violate the `restricted` policy because it uses `privileged: true`.

```yaml
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: psa-lab
spec:
containers:
- name: ubuntu
image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
privileged: true
```

Try applying it:

```bash
kubectl apply -f privileged-pod.yaml
```

🔒 You should see an error like this:

```
Error from server (Forbidden): error when creating "privileged-pod.yaml": pods "privileged-pod" is forbidden: violates PodSecurity "restricted:latest": privileged (container "ubuntu" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "ubuntu" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubuntu" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubuntu" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "ubuntu" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
```

---

### ✅ **Step 3: Fix the pod to comply with `restricted`**

Update the pod to meet the requirements:

```yaml
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
namespace: psa-lab
spec:
containers:
- name: ubuntu
image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
```

Apply it:

```bash
kubectl apply -f restricted-pod.yaml
```

✅ This time, it should deploy successfully.

```bash
pod/restricted-pod created
```

---

### ✅ **Step 4: Cleanup**

To cleanup the environment, run the following command:

```bash
kubectl apply -f namespace.yaml
```
7 changes: 7 additions & 0 deletions day-028/manifests/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: psa-lab
labels:
pod-security.kubernetes.io/enforce: "restricted"
pod-security.kubernetes.io/enforce-version: "latest"
12 changes: 12 additions & 0 deletions day-028/manifests/privileged-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: psa-lab
spec:
containers:
- name: ubuntu
image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
privileged: true
18 changes: 18 additions & 0 deletions day-028/manifests/restricted-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
namespace: psa-lab
spec:
containers:
- name: ubuntu
image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault