Kubernetes Pod Security Admission(PSA) 策略标签与违规验证实战

为命名空间设置 PSA 标签：kubectl create namespace secure kubectl label namespace secure \ pod-security.kubernetes.io/enforce=restricted \ pod-security.kubernetes.io/enforce-version=latest \ pod-security.kubernetes.io/warn=baseline \ pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/audit=baseline \ pod-security.kubernetes.io/audit-version=latest --overwrite 违规示例（应被拒绝或告警）：apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: secure spec: hostNetwork: true containers: - name: c image: busybox:1.36 securityContext: runAsUser: 0 command: ['sh','-c','sleep 3600'] 验证结果（示例输出）：kubectl apply -f bad.yaml # Error from server (Forbidden): ... violates PodSecurity "restricted:latest": # hostNetwork: unrestricted, runAsUser: 0 is not allowed