12.5 Admission controllers
View in the book.
Buy the book.
kubectl create -f Chapter12/12.5_PodSecurityAdmission/namespace.yaml
kubectl config set-context --current --namespace=team1
Try to create a Pod that runs as root. It will be rejected by the Pod Security Admission
$ kubectl create -f Chapter03/3.2.4_ThePodSpec/pod.yaml
Error from server (Forbidden): error when creating "Chapter03/3.2.4_ThePodSpec/pod.yaml": pods "timeserver" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "timeserver-container" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "timeserver-container" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "timeserver-container" must set securityContext.runAsNonRoot=true)
A non-root Pod however can run
$ kubectl create -f Chapter12/12.5_PodSecurityAdmission/nonroot_pod.yaml
pod/timeserver-pod created
Cleanup
$ kubectl delete ns team1
namespace "team1" deleted