Home Explore Blog Models CI



kubernetes
1st chunk of `content/en/docs/tutorials/security/ns-level-pss.md`
dd80fd25b59b71de2a12b3e9876d1f3de10a146fac6917550000000100000ad0
---
title: Apply Pod Security Standards at the Namespace Level
content_type: tutorial
weight: 20
---

{{% alert title="Note" %}}
This tutorial applies only for new clusters.
{{% /alert %}}

Pod Security Admission is an admission controller that applies 
[Pod Security Standards](/docs/concepts/security/pod-security-standards/) 
when pods are created.  It is a feature GA'ed in v1.25.
In this tutorial, you will enforce the `baseline` Pod Security Standard,
one namespace at a time.

You can also apply Pod Security Standards to multiple namespaces at once at the cluster
level. For instructions, refer to
[Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/).

## {{% heading "prerequisites" %}}

Install the following on your workstation:

- [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
- [kubectl](/docs/tasks/tools/)

## Create cluster

1. Create a `kind` cluster as follows:

   ```shell
   kind create cluster --name psa-ns-level
   ```

   The output is similar to this:

   ```
   Creating cluster "psa-ns-level" ...
    ✓ Ensuring node image (kindest/node:v{{< skew currentPatchVersion >}}) 🖼 
    ✓ Preparing nodes 📦  
    ✓ Writing configuration 📜 
    ✓ Starting control-plane 🕹️ 
    ✓ Installing CNI 🔌 
    ✓ Installing StorageClass 💾 
   Set kubectl context to "kind-psa-ns-level"
   You can now use your cluster with:
    
   kubectl cluster-info --context kind-psa-ns-level
    
   Not sure what to do next? 😅  Check out https://kind.sigs.k8s.io/docs/user/quick-start/
   ```

1. Set the kubectl context to the new cluster:

   ```shell
   kubectl cluster-info --context kind-psa-ns-level
   ```
   The output is similar to this:

   ```
   Kubernetes control plane is running at https://127.0.0.1:50996
   CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
    
   To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
   ```

## Create a namespace

Create a new namespace called `example`:

```shell
kubectl create ns example
```

The output is similar to this:

```
namespace/example created
```

## Enable Pod Security Standards checking for that namespace

1. Enable Pod Security Standards on this namespace using labels supported by
   built-in Pod Security Admission. In this step you will configure a check to
   warn on Pods that don't meet the latest version of the _baseline_ pod
   security standard.

   ```shell
   kubectl label --overwrite ns example \
      pod-security.kubernetes.io/warn=baseline \
      pod-security.kubernetes.io/warn-version=latest
   ```

2. You can configure multiple pod security standard checks on any namespace, using labels.
Title: Applying Pod Security Standards at the Namespace Level
Summary
This tutorial explains how to apply Pod Security Standards at the namespace level using Pod Security Admission, a feature available from Kubernetes v1.25. It guides you through creating a kind cluster, creating a namespace, and enabling Pod Security Standards checking for that namespace by setting specific labels.