Lab 5.3 Researching Pod Security Admission

royluo

In this lab, we can see 3 questions which are below:
1. Which predefined Pod Security Standard levels would I use to limit pods using hostPath to a directory, such as/dataand all subdirectories?
2. Which policy and what YAML stanza with CAP????? would be used if you want to allow a pod from fully controlling the node’s networking?
3. If a developer requires known unsafe sysctls, such as what high-performance computing may require, what yaml would you need to put into the pod spec to allow it?

I think the answer for the first question is not "AllowedHostPaths". As the question is ask which predefined pod security standard level, we know only 3 profile " Privileged, Baseline, Restricted", so here I think the answer is "Baseline" and "Restricted" according the page: https://kubernetes.io/docs/concepts/security/pod-security-standards/

The third answer is:

allowedUnsafeSysctls:
- kernel.msg*

I think is also wrong, I couldn't find this schema from "pod.spec.securityContext",
and only found "pod.spec.securityContext.sysctls", demo can be found in the page: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Could anyone tell me if it's correct? thanks

k8ckad

Hmm Agree. Seems to be in a state of flux in diff K8s release (moving goalposts) but currently seems to be managed using a combination of spec.securityContext.sysctls (for namespaced sysctls) and kubelet commands (kubelet --allowed-unsafe-sysctls) at node level - see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/