search

☸️Kubernetes Pod Security Admission Labs

hashtag
🎯 Objective

Learn how to enforce security standards for Kubernetes workloads using Pod Security Admission (PSA) and Pod Security Standards.

hashtag
🧰 Prerequisites

  • Kubernetes 1.25+ cluster (PSA enabled by default)

  • kubectl configured

  • Privileges to set labels on user's namespace

hashtag
🔹 Lab 1: Understand Pod Security Standards (PSS)

Kubernetes defines three levels:

  • Privileged: No restrictions (dangerous for multi-tenant)

  • Baseline: Minimally restrictive for common workloads

  • Restricted: Heavily restricted, enforcing best practices

✅ PSA enforces these levels per namespace.

hashtag
Step 1: Check your current namespace for next labs

To get the name of your current namespace perform the following command and copy your namespace from there:

We will use this environment variable in the next labs.

hashtag
🔹 Lab 2: Deploy a Privileged Pod

hashtag
Step 1: Try with privileged policy

First, label the current namespace as privileged:

You may check that the label has been added correctly using:

✅ Works in privileged-ns.

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
Step 2: Try with baseline policy

First, label namespace with baseline policy

You may check that the label has been added correctly using:

❌ Expected: Rejected by PSA (baseline policy does not allow privileged containers).

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
🔹 Lab 3: Deploy a Baseline-Compliant Pod

hashtag
Step 1: Try with baseline policy

First, label namespace with baseline policy

You may check that the label has been added correctly using:

✅ Works with baseline policy.

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
Step 2: Try with restricted policy

First, label namespace with restricted policy

You may check that the label has been added correctly using:

❌ Expected: Rejected by PSA (restricted policy requires more secure context).

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
🔹 Lab 4: Deploy a Restricted-Compliant Pod

hashtag
Step 1: Try with baseline policy

First, label namespace with baseline policy

You may check that the label has been added correctly using:

✅ Still works with baseline policy.

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
Step 2: Try with restricted policy

First, label namespace with restricted policy

You may check that the label has been added correctly using:

✅ Now works as well with restricted policy.

hashtag
Cleanup

Delete the pod for clean up:

Also delete the label on the namespace:

hashtag
🔹 Lab 5: View PodSecurity Violations

✅ Shows any PSA violations for that namespace.

hashtag
✅ Wrap-Up

  • ✅ Learned Kubernetes Pod Security Standards (Privileged, Baseline, Restricted)

  • ✅ Enforced namespace-based pod security with PSA

  • ✅ Practiced deploying compliant and non-compliant pods

  • ✅ Strengthened workload isolation using native Kubernetes controls

PreviousKubernetes Pod Security Context LabsNextKubernetes Network Policies Labs

Last updated