Enabling and Verifying Pod Security Standards Enforcement at the Namespace Level

Kubernetes control plane is running at https://127.0.0.1:50996 CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. ``` ## Create a namespace Create a new namespace called `example`: ```shell kubectl create ns example ``` The output is similar to this: ``` namespace/example created ``` ## Enable Pod Security Standards checking for that namespace 1. Enable Pod Security Standards on this namespace using labels supported by built-in Pod Security Admission. In this step you will configure a check to warn on Pods that don't meet the latest version of the _baseline_ pod security standard. ```shell kubectl label --overwrite ns example \ pod-security.kubernetes.io/warn=baseline \ pod-security.kubernetes.io/warn-version=latest ``` 2. You can configure multiple pod security standard checks on any namespace, using labels. The following command will `enforce` the `baseline` Pod Security Standard, but `warn` and `audit` for `restricted` Pod Security Standards as per the latest version (default value) ```shell kubectl label --overwrite ns example \ pod-security.kubernetes.io/enforce=baseline \ pod-security.kubernetes.io/enforce-version=latest \ pod-security.kubernetes.io/warn=restricted \ pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/audit=restricted \ pod-security.kubernetes.io/audit-version=latest ``` ## Verify the Pod Security Standard enforcement 1. Create a baseline Pod in the `example` namespace: ```shell kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml ``` The Pod does start OK; the output includes a warning. For example: ``` Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") pod/nginx created ``` 1. Create a baseline Pod in the `default` namespace: ```shell kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml ``` Output is similar to this: ``` pod/nginx created ``` The Pod Security Standards enforcement and warning settings were applied only to the `example` namespace. You could create the same Pod in the `default` namespace with no warnings. ## Clean up Now delete the cluster which you created above by running the following command: ```shell kind delete cluster --name psa-ns-level ``` ## {{% heading "whatsnext" %}} - Run a [shell script](/examples/security/kind-with-namespace-level-baseline-pod-security.sh) to perform all the preceding steps all at once. 1. Create kind cluster 2. Create new namespace 3. Apply `baseline` Pod Security Standard in `enforce` mode while applying `restricted` Pod Security Standard also in `warn` and `audit` mode. 4. Create a new pod with the following pod security standards applied - [Pod Security Admission](/docs/concepts/security/pod-security-admission/) - [Pod Security Standards](/docs/concepts/security/pod-security-standards/) - [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/)

This section details how to enable Pod Security Standards checking for a specific namespace and verify its enforcement. It demonstrates how to configure labels to enforce the 'baseline' standard while warning and auditing for the 'restricted' standard. The tutorial then walks through creating a baseline Pod in both the configured namespace ('example') and the default namespace to observe the enforcement in action, followed by cleanup instructions and links to further resources.