Enforce a Pod Security Baseline with Admission Labels
Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.
#security#containers
LabYeetcode, a coding bootcamp that lets students deploy to a shared cluster and discovered one of them running a privileged pod that mounted the host filesystem "to see if it worked." It did.all labs
02 - Actions
score -- - -- votes
-- completed
Sign in with a real account to save ratings, completions, and share snapshots.
Stateloading
03 - Scenario
Yeetcode, a coding bootcamp that lets students deploy to a shared cluster and discovered one of them running a privileged pod that mounted the host filesystem "to see if it worked." It did.
Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.
Constraints
Enforce the 'baseline' (ideally 'restricted') Pod Security standard per namespace
A privileged or hostPath pod must be rejected at admission, not just flagged
Default-deny east-west traffic; pods open only the connections they need
Cluster-agnostic Terraform — runs against AWS, Azure, or GCP Kubernetes
ScenarioMULTI - intermediate
05 - Steps
STEP_01
Create a governed namespace
Make a namespace for student workloads. This is the unit Pod Security Admission acts on — every pod that lands here will be measured against the standard you set next.
Apply the pod-security.kubernetes.io/enforce label (start at 'baseline', aim for 'restricted') to the namespace. Add the warn and audit labels too so violations are also surfaced, not just blocked.
Hint: 'restricted' is strict — it requires runAsNonRoot, dropped capabilities, and a seccomp profile. Land on 'baseline' first, then ratchet up.
Apply a deliberately bad pod — privileged, or mounting a hostPath — to the governed namespace and confirm the API server rejects it at admission. Capture the rejection message; that denial is the proof the control works.
Add a network policy that denies all ingress in the namespace, then a second policy that allows only the specific traffic the app needs. A compromised pod should not be able to scan its neighbors.
Install a well-behaved app via Helm into the governed namespace and confirm it admits cleanly under the standard and reaches only its allowed dependencies through the network policy.