Runtime & Cluster Security
Pod Security Standards, Falco, eBPF runtime security, admission controllers (OPA, Kyverno), policy enforcement
1What are the three Pod Security Standards levels defined by Kubernetes?
What are the three Pod Security Standards levels defined by Kubernetes?
回答
Kubernetes defines three Pod Security Standards levels: Privileged (no restrictions), Baseline (minimally restrictive, blocks known privilege escalations like hostNetwork or privileged containers), and Restricted (highly restrictive, follows hardening best practices with runAsNonRoot, seccomp, etc.). These levels enable progressive security adoption based on application needs.
2How to apply the Baseline Pod Security Standards level to a namespace with kubectl?
How to apply the Baseline Pod Security Standards level to a namespace with kubectl?
回答
Using pod-security.kubernetes.io labels on the namespace enables Pod Security Standards. There are three modes: enforce (blocks), warn (warns), and audit (logs). The kubectl label command applies these labels with the desired level and version.
3What is the main difference between Baseline and Restricted Pod Security Standards levels?
What is the main difference between Baseline and Restricted Pod Security Standards levels?
回答
The Restricted level enforces runAsNonRoot, prohibiting execution as root, while Baseline allows root but blocks privilege escalations. Restricted also adds constraints on capabilities (drop ALL), seccomp (RuntimeDefault), and allowed volumes. It is the recommended level for critical workloads.
What is the main role of Falco in Kubernetes runtime security?
What technology enables Falco to monitor system events without modifying the Linux kernel?
+21 面接問題