---
title: Kubernetes Pod Security Admission(PSA) 策略标签与违规验证实战
keywords: PSA, pod-security.kubernetes.io/enforce, baseline, restricted, warn, audit
description: 通过为命名空间设置 PSA 标签,强制/告警/审计不同级别的安全策略,并以违规示例验证策略生效。
categories:
- 文章资讯
- 技术教程
---
为命名空间设置 PSA 标签:
kubectl create namespace secure
kubectl label namespace secure \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest \
pod-security.kubernetes.io/warn=baseline \
pod-security.kubernetes.io/warn-version=latest \
pod-security.kubernetes.io/audit=baseline \
pod-security.kubernetes.io/audit-version=latest --overwrite
违规示例(应被拒绝或告警):
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: secure
spec:
hostNetwork: true
containers:
- name: c
image: busybox:1.36
securityContext:
runAsUser: 0
command: ['sh','-c','sleep 3600']
验证结果(示例输出):
kubectl apply -f bad.yaml
# Error from server (Forbidden): ... violates PodSecurity "restricted:latest":
# hostNetwork: unrestricted, runAsUser: 0 is not allowed
发表评论 取消回复