SHART.CLOUD | DESKTOP | LABROULETTE | KUBERNETES-POD-SECURITY-BASELINE.YAML
01 - Labroulette - Enforce a Pod Security Baseline with Admission Labels
| shart.cloud / labroulette / kubernetes-pod-security-baseline |
MULTI **O ~80 min $0-3 reviewed 6/29/2026

Enforce a Pod Security Baseline with Admission Labels

Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.

#security#containers
Lab Yeetcode, a coding bootcamp that lets students deploy to a shared cluster and discovered one of them running a privileged pod that mounted the host filesystem "to see if it worked." It did. all labs
02 - Actions
score -- - -- votes
-- completed
State loading
03 - Scenario

Yeetcode, a coding bootcamp that lets students deploy to a shared cluster and discovered one of them running a privileged pod that mounted the host filesystem "to see if it worked." It did.

Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.

Constraints

  • Enforce the 'baseline' (ideally 'restricted') Pod Security standard per namespace
  • A privileged or hostPath pod must be rejected at admission, not just flagged
  • Default-deny east-west traffic; pods open only the connections they need
  • Cluster-agnostic Terraform — runs against AWS, Azure, or GCP Kubernetes
Scenario MULTI - intermediate
05 - Steps
  1. STEP_01

    Create a governed namespace

    Make a namespace for student workloads. This is the unit Pod Security Admission acts on — every pod that lands here will be measured against the standard you set next.

    Terraform docs

  2. STEP_02

    Turn on the baseline standard

    Apply the pod-security.kubernetes.io/enforce label (start at 'baseline', aim for 'restricted') to the namespace. Add the warn and audit labels too so violations are also surfaced, not just blocked.

    Hint: 'restricted' is strict — it requires runAsNonRoot, dropped capabilities, and a seccomp profile. Land on 'baseline' first, then ratchet up.

    Terraform docs

  3. STEP_03

    Try to break in

    Apply a deliberately bad pod — privileged, or mounting a hostPath — to the governed namespace and confirm the API server rejects it at admission. Capture the rejection message; that denial is the proof the control works.

    Terraform docs

  4. STEP_04

    Default-deny the network

    Add a network policy that denies all ingress in the namespace, then a second policy that allows only the specific traffic the app needs. A compromised pod should not be able to scan its neighbors.

    Terraform docs

  5. STEP_05

    Deploy a conforming app

    Install a well-behaved app via Helm into the governed namespace and confirm it admits cleanly under the standard and reaches only its allowed dependencies through the network policy.

    Terraform docs

Steps 5 tasks
06 - Deliverables
  • A Terraform module that creates the namespace, pod-security labels, and network policies
  • The admission rejection output from the deliberately non-conforming pod
  • A conforming app running under the standard with default-deny networking in place
Deliverables 3 required
07 - Rubric
Namespace enforces at least the baseline Pod Security standard via labels 30%
A privileged/hostPath pod is rejected at admission with captured output 30%
Default-deny network policy is in place with only required paths opened 25%
A conforming app deploys cleanly under the enforced standard 15%
Rubric self-assessed