Lab 5.3 Researching Pod Security Admission
In this lab, we can see 3 questions which are below:
1. Which predefined Pod Security Standard levels would I use to limit pods using hostPath to a directory, such as/dataand all subdirectories?
2. Which policy and what YAML stanza with CAP????? would be used if you want to allow a pod from fully controlling the node’s networking?
3. If a developer requires known unsafe sysctls, such as what high-performance computing may require, what yaml would you need to put into the pod spec to allow it?
I think the answer for the first question is not "AllowedHostPaths". As the question is ask which predefined pod security standard level, we know only 3 profile " Privileged, Baseline, Restricted", so here I think the answer is "Baseline" and "Restricted" according the page: https://kubernetes.io/docs/concepts/security/pod-security-standards/
The third answer is:
allowedUnsafeSysctls: - kernel.msg*
I think is also wrong, I couldn't find this schema from "pod.spec.securityContext",
and only found "pod.spec.securityContext.sysctls", demo can be found in the page: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Could anyone tell me if it's correct? thanks
Comments
-
Hmm Agree. Seems to be in a state of flux in diff K8s release (moving goalposts) but currently seems to be managed using a combination of spec.securityContext.sysctls (for namespaced sysctls) and kubelet commands (kubelet --allowed-unsafe-sysctls) at node level - see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
1 -
I'd like to bump this topic, because this part of the labs is very outdated.
allowedHostPathswas part ofPodSecurityPolicythat has been removed in v1.25, and we're already at 1.330
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 765 Linux Foundation IT Professional Programs
- 377 Cloud Engineer IT Professional Program
- 174 Advanced Cloud Engineer IT Professional Program
- 75 DevOps IT Professional Program - Discontinued
- 7 DevOps & GitOps IT Professional Program
- 101 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 3 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 10 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 2 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 796 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 91 Storage
- 770 Linux Distributions
- 81 Debian
- 68 Fedora
- 23 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 115 Mobile Computing
- 20 Android
- 80 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 395 Off Topic
- 121 Introductions
- 30 Study Material
- 989 Programming and Development
- 310 Kernel Development
- 661 Software Development
- 1K Software
- 393 Applications
- 182 Command Line
- 5 Compiling/Installing
- 69 Games
- 318 Installation
- Archived
- 183 Small Talk
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)