Welcome to the Linux Foundation Forum!

Lab 5.3 Researching Pod Security Admission

royluo
royluo Posts: 1
edited April 11 in LFS260 Class Forum

In this lab, we can see 3 questions which are below:
1. Which predefined Pod Security Standard levels would I use to limit pods using hostPath to a directory, such as/dataand all subdirectories?
2. Which policy and what YAML stanza with CAP????? would be used if you want to allow a pod from fully controlling the node’s networking?
3. If a developer requires known unsafe sysctls, such as what high-performance computing may require, what yaml would you need to put into the pod spec to allow it?

I think the answer for the first question is not "AllowedHostPaths". As the question is ask which predefined pod security standard level, we know only 3 profile " Privileged, Baseline, Restricted", so here I think the answer is "Baseline" and "Restricted" according the page: https://kubernetes.io/docs/concepts/security/pod-security-standards/

The third answer is:

allowedUnsafeSysctls:
- kernel.msg*

I think is also wrong, I couldn't find this schema from "pod.spec.securityContext",
and only found "pod.spec.securityContext.sysctls", demo can be found in the page: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Could anyone tell me if it's correct? thanks

Comments

Categories

Upcoming Training