From 6d81923f34360c284eb761c0085e73a6678aebfb Mon Sep 17 00:00:00 2001 From: bmppa Date: Mon, 17 Nov 2025 10:33:12 -0500 Subject: [PATCH 1/6] added folder for day 5 --- day-005/README.md | 118 ++++++++++++++++++++++++++++++++++++ day-005/namespace.yaml | 7 +++ day-005/privileged-pod.yaml | 12 ++++ day-005/restricted-pod.yaml | 18 ++++++ 4 files changed, 155 insertions(+) create mode 100644 day-005/README.md create mode 100644 day-005/namespace.yaml create mode 100644 day-005/privileged-pod.yaml create mode 100644 day-005/restricted-pod.yaml diff --git a/day-005/README.md b/day-005/README.md new file mode 100644 index 0000000..ef808ff --- /dev/null +++ b/day-005/README.md @@ -0,0 +1,118 @@ +## ๐Ÿงช **Pod Security Admission Lab** + +This lab will show you how to: + +1. Enable PSA on a namespace +2. Attempt to deploy a non-compliant pod +3. Modify the pod to comply with the `restricted` profile + +--- + +### ๐Ÿ“ **Requirments** + +A cluster running Kubernetes v1.25 or above. + +--- + +### ๐Ÿ“ **Folder structure** + +``` +k8s-psa-lab/ +โ”œโ”€โ”€ namespace.yaml +โ”œโ”€โ”€ privileged-pod.yaml +โ””โ”€โ”€ restricted-pod.yaml +``` + +--- + +### โœ… **Step 1: Create a namespace with PSA labels** + +PSA is enforced via labels on the namespace. + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: psa-lab + labels: + pod-security.kubernetes.io/enforce: "restricted" + pod-security.kubernetes.io/enforce-version: "latest" +``` + +Apply it: + +```bash +kubectl apply -f namespace.yaml +``` + +--- + +### ๐Ÿšซ **Step 2: Try deploying a non-compliant privileged Pod** + +This pod will violate the `restricted` policy because it uses `privileged: true`. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: privileged-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + privileged: true +``` + +Try applying it: + +```bash +kubectl apply -f privileged-pod.yaml +``` + +๐Ÿ”’ You should see an error like this: + +``` +Error from server (Forbidden): error when creating "privileged-pod.yaml": pods "privileged-pod" is forbidden: violates PodSecurity "restricted:latest": privileged (container "ubuntu" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "ubuntu" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubuntu" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubuntu" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "ubuntu" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") +``` + +--- + +### โœ… **Step 3: Fix the pod to comply with `restricted`** + +Update the pod to meet the requirements: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: restricted-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault +``` + +Apply it: + +```bash +kubectl apply -f restricted-pod.yaml +``` + +โœ… This time, it should deploy successfully. + +```bash +pod/restricted-pod created +``` diff --git a/day-005/namespace.yaml b/day-005/namespace.yaml new file mode 100644 index 0000000..caa97fa --- /dev/null +++ b/day-005/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: psa-lab + labels: + pod-security.kubernetes.io/enforce: "restricted" + pod-security.kubernetes.io/enforce-version: "latest" diff --git a/day-005/privileged-pod.yaml b/day-005/privileged-pod.yaml new file mode 100644 index 0000000..0be4c36 --- /dev/null +++ b/day-005/privileged-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + privileged: true diff --git a/day-005/restricted-pod.yaml b/day-005/restricted-pod.yaml new file mode 100644 index 0000000..a4ab3ec --- /dev/null +++ b/day-005/restricted-pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restricted-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault From 9e3bf725f0e0e8ec1bc4869fc0216b1db2fbe5b5 Mon Sep 17 00:00:00 2001 From: bmppa Date: Mon, 17 Nov 2025 10:35:27 -0500 Subject: [PATCH 2/6] updated folder structure --- day-005/{ => manifests}/namespace.yaml | 0 day-005/{ => manifests}/privileged-pod.yaml | 0 day-005/{ => manifests}/restricted-pod.yaml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename day-005/{ => manifests}/namespace.yaml (100%) rename day-005/{ => manifests}/privileged-pod.yaml (100%) rename day-005/{ => manifests}/restricted-pod.yaml (100%) diff --git a/day-005/namespace.yaml b/day-005/manifests/namespace.yaml similarity index 100% rename from day-005/namespace.yaml rename to day-005/manifests/namespace.yaml diff --git a/day-005/privileged-pod.yaml b/day-005/manifests/privileged-pod.yaml similarity index 100% rename from day-005/privileged-pod.yaml rename to day-005/manifests/privileged-pod.yaml diff --git a/day-005/restricted-pod.yaml b/day-005/manifests/restricted-pod.yaml similarity index 100% rename from day-005/restricted-pod.yaml rename to day-005/manifests/restricted-pod.yaml From 91bb1aaf8c60831dde7ef3087722dcde3b0d2e98 Mon Sep 17 00:00:00 2001 From: bmppa Date: Mon, 17 Nov 2025 10:39:19 -0500 Subject: [PATCH 3/6] updated README file for day 5 --- day-005/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/day-005/README.md b/day-005/README.md index ef808ff..1af0bee 100644 --- a/day-005/README.md +++ b/day-005/README.md @@ -17,7 +17,7 @@ A cluster running Kubernetes v1.25 or above. ### ๐Ÿ“ **Folder structure** ``` -k8s-psa-lab/ +manifests/ โ”œโ”€โ”€ namespace.yaml โ”œโ”€โ”€ privileged-pod.yaml โ””โ”€โ”€ restricted-pod.yaml From a48eba6230ba44be0aa66e8157e90003580a2905 Mon Sep 17 00:00:00 2001 From: bmppa Date: Mon, 17 Nov 2025 11:04:57 -0500 Subject: [PATCH 4/6] updated README file with cleanup section --- day-005/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/day-005/README.md b/day-005/README.md index 1af0bee..ea2abdc 100644 --- a/day-005/README.md +++ b/day-005/README.md @@ -116,3 +116,13 @@ kubectl apply -f restricted-pod.yaml ```bash pod/restricted-pod created ``` + +--- + +### โœ… **Step 4: Cleanup** + +To cleanup the environment, run the following command: + +```bash +kubectl apply -f namespace.yaml +``` From dc3478b7e38d4893e1ce11fa8f27f9239ea44f47 Mon Sep 17 00:00:00 2001 From: bmppa Date: Sat, 13 Dec 2025 21:26:28 -0500 Subject: [PATCH 5/6] formated README file --- day-005/README.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/day-005/README.md b/day-005/README.md index ea2abdc..6cc0991 100644 --- a/day-005/README.md +++ b/day-005/README.md @@ -1,27 +1,26 @@ -## ๐Ÿงช **Pod Security Admission Lab** +# Day 28: Pod Security Admission +## THE IDEA: This lab will show you how to: 1. Enable PSA on a namespace 2. Attempt to deploy a non-compliant pod 3. Modify the pod to comply with the `restricted` profile ---- - -### ๐Ÿ“ **Requirments** +## THE SETUP: A cluster running Kubernetes v1.25 or above. ---- +## WHAT I LEARNED: +Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. +Pod security restrictions are applied at the namespace level when pods are created. -### ๐Ÿ“ **Folder structure** +## WHY IT MATTERS: +Kubernetes can block risky workloads before they run, using the native PSA โ€” no 3rd party tools needed! +Good for quick, standard security posture enforcement. -``` -manifests/ -โ”œโ”€โ”€ namespace.yaml -โ”œโ”€โ”€ privileged-pod.yaml -โ””โ”€โ”€ restricted-pod.yaml -``` +TRY IT: +๐Ÿงช Interactive Lab: https://killercoda.com/chadmcrowell/course/kubeskills-daily/day-028 --- From 176b6f4664c62ca0839d5b53508864ad08924281 Mon Sep 17 00:00:00 2001 From: bmppa Date: Sat, 13 Dec 2025 21:30:31 -0500 Subject: [PATCH 6/6] updated folder --- {day-005 => day-028}/README.md | 0 {day-005 => day-028}/manifests/namespace.yaml | 0 {day-005 => day-028}/manifests/privileged-pod.yaml | 0 {day-005 => day-028}/manifests/restricted-pod.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {day-005 => day-028}/README.md (100%) rename {day-005 => day-028}/manifests/namespace.yaml (100%) rename {day-005 => day-028}/manifests/privileged-pod.yaml (100%) rename {day-005 => day-028}/manifests/restricted-pod.yaml (100%) diff --git a/day-005/README.md b/day-028/README.md similarity index 100% rename from day-005/README.md rename to day-028/README.md diff --git a/day-005/manifests/namespace.yaml b/day-028/manifests/namespace.yaml similarity index 100% rename from day-005/manifests/namespace.yaml rename to day-028/manifests/namespace.yaml diff --git a/day-005/manifests/privileged-pod.yaml b/day-028/manifests/privileged-pod.yaml similarity index 100% rename from day-005/manifests/privileged-pod.yaml rename to day-028/manifests/privileged-pod.yaml diff --git a/day-005/manifests/restricted-pod.yaml b/day-028/manifests/restricted-pod.yaml similarity index 100% rename from day-005/manifests/restricted-pod.yaml rename to day-028/manifests/restricted-pod.yaml