CORRECT TEXT
Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.
Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.
Create a new ServiceAccount named psp-sa in the namespace restricted.
Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy
Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.
Hint:
Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.
POD Manifest:
✑ apiVersion: v1
✑ kind: Pod
✑ metadata:
✑ name:
✑ spec:
✑ containers:
✑ – name:
✑ image:
✑ volumeMounts:
✑ – name:
✑ mountPath:
✑ volumes:
✑ – name:
✑ secret:
✑ secretName:
Answer: apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames:
‘docker/default,runtime/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘runtime/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
# Required to prevent escalations to root. allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth. requiredDropCapabilities:
– ALL
# Allow core volume types.
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
# Assume that persistentVolumes set up by the cluster admin are safe to use. – ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false runAsUser:
# Require the container to run without root privileges.
rule: ‘MustRunAsNonRoot’
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux. rule: ‘RunAsAny’
supplementalGroups: rule: ‘MustRunAs’ ranges:
# Forbid adding the root group.
– min: 1 max: 65535 fsGroup:
rule: ‘MustRunAs’ ranges:
# Forbid adding the root group. – min: 1
max: 65535
readOnlyRootFilesystem: false
Latest CKS Dumps Valid Version with 44 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund