Free Certified Kubernetes Security Specialist Exam CKS Exam Practice Test

Create a PSP that will prevent the creation of privileged pods in the namespace.Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.Create a new ServiceAccount named psp-sa in the namespace default.Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

• A . Explanation:
  Create a PSP that will prevent the creation of privileged pods in the namespace.
  $ cat clusterrole-use-privileged.yaml
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: use-privileged-psp
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - default-psp
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
  name: privileged-role-bind
  namespace: psp-test
  roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-privileged-psp
  subjects:
  - kind: ServiceAccount
  name: privileged-sa
  $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
  After a few moments, the privileged Pod should be created.
  Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: example
  spec:
  privileged: false # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  And create it with kubectl:
  kubectl-admin create -f example-psp.yaml
  Now, as the unprivileged user, try to create a simple pod:
  kubectl-user create -f- <<EOF
  apiVersion: v1
  kind: Pod
  metadata:
  name: pause
  spec:
  containers:
  - name: pause
  image: k8s.gcr.io/pause
  EOF
  The output is similar to this:
  Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
  Create a new ServiceAccount named psp-sa in the namespace default.
  $ cat clusterrole-use-privileged.yaml
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: use-privileged-psp
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - default-psp
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
  name: privileged-role-bind
  namespace: psp-test
  roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-privileged-psp
  subjects:
  - kind: ServiceAccount
  name: privileged-sa
  $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
  After a few moments, the privileged Pod should be created.
  Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: example
  spec:
  privileged: false # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  And create it with kubectl:
  kubectl-admin create -f example-psp.yaml
  Now, as the unprivileged user, try to create a simple pod:
  kubectl-user create -f- <<EOF
  apiVersion: v1
  kind: Pod
  metadata:
  name: pause
  spec:
  containers:
  - name: pause
  image: k8s.gcr.io/pause
  EOF
  The output is similar to this:
  Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
  Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
  apiVersion: rbac.authorization.k8s.io/v1
  # This role binding allows 'jane' to read pods in the 'default' namespace.
  # You need to already have a Role named 'pod-reader' in that namespace.
  kind: RoleBinding
  metadata:
  name: read-pods
  namespace: default
  subjects:
  # You can specify more than one 'subject'
  - kind: User
  name: jane # 'name' is case sensitive
  apiGroup: rbac.authorization.k8s.io
  roleRef:
  # 'roleRef' specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
  namespace: default
  name: pod-reader
  rules:
  - apiGroups: [''] # '' indicates the core API group
  resources: ['pods']
  verbs: ['get', 'watch', 'list']
  

Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

• A . Explanation:
  You can create a 'default' isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: default-deny-ingress
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  You can create a 'default' egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: allow-all-egress
  spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress
  Default deny all ingress and all egress traffic
  You can create a 'default' policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: default-deny-all
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
  

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

• A . Explanation:
  $ kubectl get ing -n <namespace-of-ingress-resource>
  NAME HOSTS ADDRESS PORTS AGE
  cafe-ingress cafe.com 10.0.2.15 80 25s
  $ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource>
  Name: cafe-ingress
  Namespace: default
  Address: 10.0.2.15
  Default backend: default-http-backend:80 (172.17.0.5:8080)
  Rules:
  Host Path Backends
  ---- ---- --------
  cafe.com
  /tea tea-svc:80 (<none>)
  /coffee coffee-svc:80 (<none>)
  Annotations:
  kubectl.kubernetes.io/last-applied-configuration: {'apiVersion':'networking.k8s.io/v1','kind':'Ingress','metadata':{'annotations':{},'name':'cafe-ingress','namespace':'default','selfLink':'/apis/networking/v1/namespaces/default/ingresses/cafe-ingress'},'spec':{'rules':[{'host':'cafe.com','http':{'paths':[{'backend':{'serviceName':'tea-svc','servicePort':80},'path':'/tea'},{'backend':{'serviceName':'coffee-svc','servicePort':80},'path':'/coffee'}]}}]},'status':{'loadBalancer':{'ingress':[{'ip':'169.48.142.110'}]}}}
  Events:
  Type Reason Age From Message
  ---- ------ ---- ---- -------
  Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
  Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
  $ kubectl get pods -n <namespace-of-ingress-controller>
  NAME READY STATUS RESTARTS AGE
  ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
  $ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
  -------------------------------------------------------------------------------
  NGINX Ingress controller
  Release: 0.14.0
  Build: git-734361d
  Repository: https://github.com/kubernetes/ingress-nginx
  -------------------------------------------------------------------------------
  ....
  

Create a network policy named allow-np, that allows pod in the namespace staging to connect to port 80 of other pods in the same namespace.Ensure that Network Policy:-1. Does not allow access to pod not listening on port 80.2. Does not allow access from Pods, not in namespace staging.

• A . Explanation:
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: network-policy
  spec:
  podSelector: {} #selects all the pods in the namespace deployed
  policyTypes:
  - Ingress
  ingress:
  - ports: #in input traffic allowed only through 80 port only
  - protocol: TCP
  port: 80
  

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + EgressThe new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

• A . Explanation:
  master1 $k get pods -n test --show-labels
  NAME READY STATUS RESTARTS AGE LABELS
  test-pod 1/1 Running 0 34s role=test,run=test-pod
  testing 1/1 Running 0 17d run=testing
  $vim netpol.yaml
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: deny-network
  namespace: test
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  master1 $k apply -f netpol.yaml
  Explanation
  controlplane $ k get pods -n test --show-labels
  NAME READY STATUS RESTARTS AGE LABELS
  test-pod 1/1 Running 0 34s role=test,run=test-pod
  testing 1/1 Running 0 17d run=testing
  master1 $ vim netpol1.yaml
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: deny-network
  namespace: test
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  master1 $ k apply -f netpol1.yaml
  
  Reference:
  https://kubernetes.io/docs/concepts/services-networking/network-policies/
  Explanation
  controlplane $ k get pods -n test --show-labels
  NAME READY STATUS RESTARTS AGE LABELS
  test-pod 1/1 Running 0 34s role=test,run=test-pod
  testing 1/1 Running 0 17d run=testing
  master1 $ vim netpol1.yaml
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: deny-network
  namespace: test
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  master1 $ k apply -f netpol1.yaml
  
  Reference:
  https://kubernetes.io/docs/concepts/services-networking/network-policies/
  

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context test-account Task:Enable audit logs in the cluster.To do so, enable the log backend, and ensure that:1. logs are stored at/var/log/Kubernetes/logs.txt2. log files are retained for5days3. at maximum, a number of10old audit log files are retainedA basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node.Edit and extend the basic policy to log: 1.Nodeschanges atRequestResponselevel 2. The request body ofpersistentvolumeschanges in the namespacefrontend 3.ConfigMapandSecretchanges in all namespaces at theMetadatalevelAlso, add a catch-all rule to log all other requests at theMetadatalevel Note:Don't forget to apply the modified policy.

• A . Explanation:
  $vim /etc/kubernetes/log-policy/audit-policy.yaml
  - level: RequestResponse
  userGroups: ['system:nodes']
  - level: Request
  resources:
  - group: '' # core API group
  resources: ['persistentvolumes']
  namespaces: ['frontend']
  - level: Metadata
  resources:
  - group: ''
  resources: ['configmaps', 'secrets']
  - level: Metadata
  $vim /etc/kubernetes/manifests/kube-apiserver.yaml
  Add these
  - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
  - --audit-log-path=/var/log/kubernetes/logs.txt
  - --audit-log-maxage=5
  - --audit-log-maxbackup=10
  Explanation
  [desk@cli] $ssh master1
  [master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml
  apiVersion: audit.k8s.io/v1 # This is required.
  kind: Policy
  # Don't generate audit events for all requests in RequestReceived stage.
  omitStages:
  - 'RequestReceived'
  rules:
  # Don't log watch requests by the 'system:kube-proxy' on endpoints or services
  - level: None
  users: ['system:kube-proxy']
  verbs: ['watch']
  resources:
  - group: '' # core API group
  resources: ['endpoints', 'services']
  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
  userGroups: ['system:authenticated']
  nonResourceURLs:
  - '/api*' # Wildcard matching.
  - '/version'
  # Add your changes below
  - level: RequestResponse
  userGroups: ['system:nodes'] # Block for nodes
  - level: Request
  resources:
  - group: '' # core API group
  resources: ['persistentvolumes'] # Block for persistentvolumes
  namespaces: ['frontend'] # Block for persistentvolumes of frontend ns
  - level: Metadata
  resources:
  - group: '' # core API group
  resources: ['configmaps', 'secrets'] # Block for configmaps & secrets
  - level: Metadata # Block for everything else
  [master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
  apiVersion: v1
  kind: Pod
  metadata:
  annotations:
  kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
  labels:
  component: kube-apiserver
  tier: control-plane
  name: kube-apiserver
  namespace: kube-system
  spec:
  containers:
  - command:
  - kube-apiserver
  - --advertise-address=10.0.0.5
  - --allow-privileged=true
  - --authorization-mode=Node,RBAC
  - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
  - --audit-log-path=/var/log/kubernetes/logs.txt #Add this
  - --audit-log-maxage=5 #Add this
  - --audit-log-maxbackup=10 #Add this
  ...
  output truncated
  Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.
  
  Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  

a. Retrieve the content of the existing secret nameddefault-token-xxxxxin the testing namespace.Store the value of the token in the token.txtb. Create a new secret named test-db-secret in the DB namespace with the following content:username:mysqlpassword:password@123Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

• A . Explanation:
  To add a Kubernetes cluster to your project, group, or instance:
  Navigate to your:
  Project'sOperations > Kubernetespage, for a project-level cluster.
  Group'sKubernetespage, for a group-level cluster.
  Admin Area >Kubernetespage, for an instance-level cluster.
  ClickAdd Kubernetes cluster.
  Click theAdd existing clustertab and fill in the details:
  Kubernetes cluster name(required) - The name you wish to give the cluster.
  Environment scope(required) - Theassociated environmentto this cluster.
  API URL(required) - It's the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the ''base'' URL that is common to all of them. For example,https://kubernetes.example.comrather thanhttps://kubernetes.example.com/api/v1.
  Get the API URL by running this command:
  kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}'
  CA certificate(required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We use the certificate created by default.
  List the secrets withkubectl get secrets, and one should be named similar todefault-token-xxxxx. Copy that token name for use below.
  Get the certificate by running this command:
  kubectl get secret <secret name> -o jsonpath='{['data']['ca\.crt']}'
  

Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ['/entrypoint.sh']USER ROOTFixing two instructions present in the file being prominent security best practice issuesAnalyze and edit the deployment manifest fileapiVersion: v1kind: Podmetadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issuesDon't add or remove configuration settings; only modify the existing configuration settingsWhenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

• A . Explanation:
  FROM debian:latest
  MAINTAINER k@bogotobogo.com
  # 1 - RUN
  RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
  RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
  RUN apt-get clean
  # 2 - CMD
  #CMD ['htop']
  #CMD ['ls', '-l']
  # 3 - WORKDIR and ENV
  WORKDIR /root
  ENV DZ version1
  $ docker image build -t bogodevops/demo .
  Sending build context to Docker daemon 3.072kB
  Step 1/7 : FROM debian:latest
  ---> be2868bebaba
  Step 2/7 : MAINTAINER k@bogotobogo.com
  ---> Using cache
  ---> e2eef476b3fd
  Step 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
  ---> Using cache
  ---> 32fd044c1356
  Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
  ---> Using cache
  ---> 0a5b514a209e
  Step 5/7 : RUN apt-get clean
  ---> Using cache
  ---> 5d1578a47c17
  Step 6/7 : WORKDIR /root
  ---> Using cache
  ---> 6b1c70e87675
  Step 7/7 : ENV DZ version1
  ---> Using cache
  ---> cd195168c5c7
  Successfully built cd195168c5c7
  Successfully tagged bogodevops/demo:latest
  

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against theAPI server:-a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against theKubelet:-a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against theETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench

• A . Explanation:
  Fix all of the following violations that were found against theAPI server:-
  a. Ensure that the RotateKubeletServerCertificate argument is set to true.
  apiVersion: v1
  kind: Pod
  metadata:
  creationTimestamp: null
  labels:
  component: kubelet
  tier: control-plane
  name: kubelet
  namespace: kube-system
  spec:
  containers:
  - command:
  - kube-controller-manager
  + - --feature-gates=RotateKubeletServerCertificate=true
  image: gcr.io/google_containers/kubelet-amd64:v1.6.0
  livenessProbe:
  failureThreshold: 8
  httpGet:
  host: 127.0.0.1
  path: /healthz
  port: 6443
  scheme: HTTPS
  initialDelaySeconds: 15
  timeoutSeconds: 15
  name: kubelet
  resources:
  requests:
  cpu: 250m
  volumeMounts:
  - mountPath: /etc/kubernetes/
  name: k8s
  readOnly: true
  - mountPath: /etc/ssl/certs
  name: certs
  - mountPath: /etc/pki
  name: pki
  hostNetwork: true
  volumes:
  - hostPath:
  path: /etc/kubernetes
  name: k8s
  - hostPath:
  path: /etc/ssl/certs
  name: certs
  - hostPath:
  path: /etc/pki
  name: pki
  b. Ensure that the admission control plugin PodSecurityPolicy is set.
  audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
  tests:
  test_items:
  - flag: '--enable-admission-plugins'
  compare:
  op: has
  value: 'PodSecurityPolicy'
  set: true
  remediation: |
  Follow the documentation and create Pod Security Policy objects as per your environment.
  Then, edit the API server pod specification file $apiserverconf
  on the master node and set the --enable-admission-plugins parameter to a
  value that includes PodSecurityPolicy :
  --enable-admission-plugins=...,PodSecurityPolicy,...
  Then restart the API Server.
  scored: true
  c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
  audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
  tests:
  test_items:
  - flag: '--kubelet-certificate-authority'
  set: true
  remediation: |
  Follow the Kubernetes documentation and setup the TLS connection between the
  apiserver and kubelets. Then, edit the API server pod specification file
  $apiserverconf on the master node and set the --kubelet-certificate-authority
  parameter to the path to the cert file for the certificate authority.
  --kubelet-certificate-authority=<ca-string>
  scored: true
  Fix all of the following violations that were found against theETCD:-
  a. Ensure that the --auto-tls argument is not set to true
  Edit the etcd pod specification file $etcdconf on the master
  node and either remove the --auto-tls parameter or set it to false.
  --auto-tls=false
  b. Ensure that the --peer-auto-tls argument is not set to true
  Edit the etcd pod specification file $etcdconf on the master
  node and either remove the --peer-auto-tls parameter or set it to false.
  --peer-auto-tls=false
  

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

• A . Explanation:
  Create psp to disallow privileged container
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: deny-access-role
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - ''deny-policy''
  k create sa psp-denial-sa -n development
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
  name: restrict-access-bing
  roleRef:
  kind: ClusterRole
  name: deny-access-role
  apiGroup: rbac.authorization.k8s.io
  subjects:
  - kind: ServiceAccount
  name: psp-denial-sa
  namespace: development
  Explanation
  master1 $ vim psp.yaml
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: deny-policy
  spec:
  privileged: false # Don't allow privileged pods!
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  master1 $ vim cr1.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: deny-access-role
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - ''deny-policy''
  master1 $k create sa psp-denial-sa -n development
  
  master1 $ vim cb1.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
  name: restrict-access-bing
  roleRef:
  kind: ClusterRole
  name: deny-access-role
  apiGroup: rbac.authorization.k8s.io
  subjects:
  # Authorize specific service accounts:
  - kind: ServiceAccount
  name: psp-denial-sa
  namespace: development
  master1 $k apply -f psp.yaml
  master1 $k apply -f cr1.yaml
  master1 $k apply -f cb1.yaml
  
  Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/