# Chapter 6.3 Pod Security Admission ###### tags: `Day 2 Exercises` `Chapter 6` We can view the Pod Security Admission results as a dry run issuing the following command. This will run a scan and report what the effect of applying a baseline Pod Security Admission Controller would do. ```shell= kubectl label --dry-run=server --overwrite ns --all \ pod-security.kubernetes.io/enforce=baseline ``` For a list of what _Privileged_, _Baseline_, and _Restricted_ would do visit this website for more information. https://kubernetes.io/docs/concepts/security/pod-security-standards/ Let's create a namespace, and apply a Pod Security Admission within that particular namespace ```shell= kubectl create ns restricted-space kubectl label --overwrite ns restricted-space \ pod-security.kubernetes.io/enforce=restricted \ pod-security.kubernetes.io/enforce-version=v1.26 ``` Once, established this namespace will scrutinize any pods that violate any restrictions Let's put that to the test by deploying a Deployment within this particular namespace, which is `restricted-space`. Notice that we are requesting `privileged` access which should not be allowed. ```yaml= $ cat << EOF | kubectl apply -n restricted-space -f - apiVersion: apps/v1 kind: Deployment metadata: name: pause labels: app: pause spec: replicas: 1 selector: matchLabels: app: pause template: metadata: labels: app: pause spec: containers: - name: pause image: k8s.gcr.io/pause securityContext: privileged: true ``` Run `kubectl get events -n restricted-space` and determine why you were not able to deploy your application in the `restricted-space` Report your findings to your instructor