150150 </ li >
151151 < li class ="toctree-l1 current "> < a class ="reference internal current " href ="# "> Lab K112 - Pod Security Admission</ a >
152152 < ul class ="current ">
153- < li class ="toctree-l2 "> < a class ="reference internal " href ="#lab-objective "> 🧭 Lab Objective</ a >
153+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#lab-objective "> Lab Objective</ a >
154154 </ li >
155- < li class ="toctree-l2 "> < a class ="reference internal " href ="#prerequisites "> 📚 Prerequisites</ a >
155+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#prerequisites "> Prerequisites</ a >
156156 </ li >
157- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-1-understand-pod-security-levels "> 🗂️ Step 1: Understand Pod Security Levels</ a >
157+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-1-understand-pod-security-levels "> Step 1: Understand Pod Security Levels</ a >
158158 </ li >
159- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-2-label-namespaces-with-psa-modes "> 🧪 Step 2: Label Namespaces with PSA Modes</ a >
159+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-2-label-namespaces-with-psa-modes "> Step 2: Label Namespaces with PSA Modes</ a >
160160 < ul >
161161 < li class ="toctree-l3 "> < a class ="reference internal " href ="#create-namespaces "> Create Namespaces</ a >
162162 </ li >
163163 < li class ="toctree-l3 "> < a class ="reference internal " href ="#apply-psa-labels "> Apply PSA Labels</ a >
164164 </ li >
165165 </ ul >
166166 </ li >
167- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-3-test-pod-deployment-in-labeled-namespaces "> 🧪 Step 3: Test Pod Deployment in Labeled Namespaces</ a >
167+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-3-test-pod-deployment-in-labeled-namespaces "> Step 3: Test Pod Deployment in Labeled Namespaces</ a >
168168 < ul >
169169 < li class ="toctree-l3 "> < a class ="reference internal " href ="#create-a-non-compliant-pod-yaml-violates-restricted-policy "> Create a Non-Compliant Pod YAML (violates restricted policy)</ a >
170170 </ li >
171171 < li class ="toctree-l3 "> < a class ="reference internal " href ="#try-applying-in-different-namespaces "> Try Applying in Different Namespaces</ a >
172172 </ li >
173173 </ ul >
174174 </ li >
175- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-5 -create-a-compliant-pod "> 🛡️ Step 5 : Create a Compliant Pod</ a >
175+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-4 -create-a-compliant-pod "> Step 4 : Create a Compliant Pod</ a >
176176 </ li >
177- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-5-fixing-the-compliant-pod-for-restrictedlatest "> 🔧 Step 5: Fixing the Compliant Pod for restricted:latest</ a >
177+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-5-fixing-the-compliant-pod-for-restrictedlatest "> Step 5: Fixing the Compliant Pod for restricted:latest</ a >
178178 </ li >
179- < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-6-view-psa-labels-and-behavior "> 🧰 Step 6: View PSA Labels and Behavior</ a >
179+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#step-6-view-psa-labels-and-behavior "> Step 6: View PSA Labels and Behavior</ a >
180180 </ li >
181- < li class ="toctree-l2 "> < a class ="reference internal " href ="#cleanup "> 🧼 Cleanup</ a >
181+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#cleanup "> Cleanup</ a >
182182 </ li >
183- < li class ="toctree-l2 "> < a class ="reference internal " href ="#summary "> 📘 Summary</ a >
183+ < li class ="toctree-l2 "> < a class ="reference internal " href ="#summary "> Summary</ a >
184184 </ li >
185185 </ ul >
186186 </ li >
345345 < div role ="main " class ="document " itemscope ="itemscope " itemtype ="http://schema.org/Article ">
346346 < div class ="section " itemprop ="articleBody ">
347347
348- < h1 id ="pod-security-admission-psa-in-kubernetes "> 🧪 Pod Security Admission (PSA) in Kubernetes</ h1 >
349- < h2 id ="lab-objective "> 🧭 Lab Objective</ h2 >
348+ < h1 id ="pod-security-admission-psa-in-kubernetes "> Pod Security Admission (PSA) in Kubernetes</ h1 >
349+ < h2 id ="lab-objective "> Lab Objective</ h2 >
350350< p > By the end of this lab, you'll:</ p >
351351< ul >
352352< li > Understand what PSA is and how it differs from PSP.</ li >
@@ -355,15 +355,15 @@ <h2 id="lab-objective">🧭 Lab Objective</h2>
355355< li > Validate pod behavior based on enforced policies.</ li >
356356</ ul >
357357< hr />
358- < h2 id ="prerequisites "> 📚 Prerequisites</ h2 >
358+ < h2 id ="prerequisites "> Prerequisites</ h2 >
359359< ul >
360360< li > Kubernetes v1.23+ (PSA became stable in v1.25).</ li >
361361< li > < code > kubectl</ code > configured with admin access.</ li >
362362< li > A cluster (KIND or Minikube is fine for labs).</ li >
363363< li > YAML editing tool (or any editor).</ li >
364364</ ul >
365365< hr />
366- < h2 id ="step-1-understand-pod-security-levels "> 🗂️ Step 1: Understand Pod Security Levels</ h2 >
366+ < h2 id ="step-1-understand-pod-security-levels "> Step 1: Understand Pod Security Levels</ h2 >
367367< p > Kubernetes provides < strong > 3 built-in policy levels</ strong > under PSA:</ p >
368368< table >
369369< thead >
@@ -388,7 +388,7 @@ <h2 id="step-1-understand-pod-security-levels">🗂️ Step 1: Understand Pod Se
388388</ tbody >
389389</ table >
390390< hr />
391- < h2 id ="step-2-label-namespaces-with-psa-modes "> 🧪 Step 2: Label Namespaces with PSA Modes</ h2 >
391+ < h2 id ="step-2-label-namespaces-with-psa-modes "> Step 2: Label Namespaces with PSA Modes</ h2 >
392392< p > Namespaces can be configured with:</ p >
393393< ul >
394394< li > < code > enforce</ code > : blocks pods that violate the policy.</ li >
@@ -411,7 +411,7 @@ <h3 id="apply-psa-labels">Apply PSA Labels</h3>
411411 pod-security.kubernetes.io/warn-version=latest
412412</ code > </ pre >
413413< hr />
414- < h2 id ="step-3-test-pod-deployment-in-labeled-namespaces "> 🧪 Step 3: Test Pod Deployment in Labeled Namespaces</ h2 >
414+ < h2 id ="step-3-test-pod-deployment-in-labeled-namespaces "> Step 3: Test Pod Deployment in Labeled Namespaces</ h2 >
415415< h3 id ="create-a-non-compliant-pod-yaml-violates-restricted-policy "> Create a Non-Compliant Pod YAML (violates restricted policy)</ h3 >
416416< pre > < code class ="language-yaml "> # insecure-pod.yaml
417417apiVersion: v1
@@ -436,7 +436,7 @@ <h3 id="try-applying-in-different-namespaces">Try Applying in Different Namespac
436436⚠️ < code > test-ns</ code > will accept it but emit warnings (check via < code > kubectl events</ code > ).</ p >
437437</ blockquote >
438438< hr />
439- < h2 id ="step-5 -create-a-compliant-pod "> 🛡️ Step 5 : Create a Compliant Pod</ h2 >
439+ < h2 id ="step-4 -create-a-compliant-pod "> Step 4 : Create a Compliant Pod</ h2 >
440440< pre > < code class ="language-yaml "> # secure-pod.yaml
441441apiVersion: v1
442442kind: Pod
@@ -453,7 +453,7 @@ <h2 id="step-5-create-a-compliant-pod">🛡️ Step 5: Create a Compliant Pod</h
453453< pre > < code class ="language-bash "> kubectl apply -f secure-pod.yaml -n secure-ns
454454</ code > </ pre >
455455< hr />
456- < h2 id ="step-5-fixing-the-compliant-pod-for-restrictedlatest "> 🔧 Step 5: Fixing the Compliant Pod for restricted:latest</ h2 >
456+ < h2 id ="step-5-fixing-the-compliant-pod-for-restrictedlatest "> Step 5: Fixing the Compliant Pod for restricted:latest</ h2 >
457457< p > Here’s what we must fix:</ p >
458458< p > Capabilities must explicitly drop ALL.</ p >
459459< p > Seccomp profile must be explicitly set to RuntimeDefault.</ p >
@@ -478,7 +478,7 @@ <h2 id="step-5-fixing-the-compliant-pod-for-restrictedlatest">🔧 Step 5: Fixin
478478</ code > </ pre >
479479< pre > < code class ="language-bash "> kubectl apply -f secure-pod.yaml -n secure-ns # ✅ Should succeed
480480</ code > </ pre >
481- < p > 🧠 Why These Fields Matter in restricted</ p >
481+ < p > Why These Fields Matter in restricted</ p >
482482< table >
483483< thead >
484484< tr >
@@ -506,7 +506,7 @@ <h2 id="step-5-fixing-the-compliant-pod-for-restrictedlatest">🔧 Step 5: Fixin
506506</ tbody >
507507</ table >
508508< hr />
509- < h2 id ="step-6-view-psa-labels-and-behavior "> 🧰 Step 6: View PSA Labels and Behavior</ h2 >
509+ < h2 id ="step-6-view-psa-labels-and-behavior "> Step 6: View PSA Labels and Behavior</ h2 >
510510< p > Check labels:</ p >
511511< pre > < code class ="language-bash "> kubectl get ns --show-labels
512512</ code > </ pre >
@@ -515,11 +515,11 @@ <h2 id="step-6-view-psa-labels-and-behavior">🧰 Step 6: View PSA Labels and Be
515515kubectl get events -n secure-ns
516516</ code > </ pre >
517517< hr />
518- < h2 id ="cleanup "> 🧼 Cleanup</ h2 >
518+ < h2 id ="cleanup "> Cleanup</ h2 >
519519< pre > < code class ="language-bash "> kubectl delete ns secure-ns test-ns
520520</ code > </ pre >
521521< hr />
522- < h2 id ="summary "> 📘 Summary</ h2 >
522+ < h2 id ="summary "> Summary</ h2 >
523523< table >
524524< thead >
525525< tr >
0 commit comments