# How PSA works in a live cluster ### Enable PSA in a Kubeadm cluster It cannot be enabled by configuring `feature-gates` flag: ``` # kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3", GitCommit:"c92036820499fedefec0f847e2054d824aea6cd1", GitTreeState:"clean", BuildDate:"2021-10-27T18:40:11Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"} # kubeadm init --pod-network-cidr=192.168.0.0/16 --feature-gates="PodSecurity=true" unrecognized feature-gate key: PodSecurity To see the stack trace of this error execute with --v=5 or higher ``` Installed as a seperate admission controller: ``` git clone https://github.com/kubernetes/pod-security-admission.git cd pod-security-admission/webhook make certs kubectl apply -k . # k -n pod-security-webhook get pod NAME READY STATUS RESTARTS AGE pod-security-webhook-56854c86b9-bcc5c 1/1 Running 0 12m ``` PSA creates a `validatingwebhookconfiguration` for pods and related kinds. ``` # k get validatingwebhookconfigurations NAME WEBHOOKS AGE pod-security-webhook.kubernetes.io 2 13m ``` <details> ```yaml # k get validatingwebhookconfigurations pod-security-webhook.kubernetes.io -o yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"annotations":{},"name":"pod-security-webhook.kubernetes.io"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVR25IMV\nRFRFpxTWZnME9WNnBiQmpTd0ljY1Uwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RWhNQjhH\nQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1TFhkbFltaHZiMnN0WTJFdE1CNFhEVEl4TVRFeA\npNREl3TVRBeU9Wb1hEVE14TVRFd09ESXdNVEF5T1Zvd0l6RWhNQjhHQTFVRUF3d1ljRzlr\nTFhObFkzVnlhWFI1CkxYZGxZbWh2YjJzdFkyRXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRU\nZBQU9DQVE4QU1JSUJDZ0tDQVFFQTE2S0cKT3RWVkdGbGNrb0F5YWtEMWZubWNhRk5sMm5i\nUjNLWGxNdnA3U1ZpdXlYZ1RqN3VPQTdnZWVHbHhCSTJXZTROTwpoSHNYNjJDVUJTMTRtOU\n5DTEg1UXhHYmJYMzNLYnVCQU1yb1ZFUjAra0hvaE4vVVhzaml2YzlwSW9EemFPekg4CjR3\nR1FZRDZsek5vMXpGVFpweWx3QkVselZUUW9xZ2lkZ3BqbXFkaU5UUkRCWVFnL1NHZFYzQX\nRMS2JZVStyUnEKSmt3SE00dWsrL043YVZ3TWZ5QUlKZFJmbUlMbnF1alQ4bndIKzhxR3J4\nVW9xMTZJU2xBVXo1bVpwUWlvK2U0agpsY0hwVy81NzJsM0thMHcveWV0SmF1WGVVR1F5Q2\n9vNndicXZVWngrdjZiV1c4bzhVODFrTW51aHJKYjRuMHZkCkNNOVBFMTErQUUzTnoyVU5l\nd0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVYnBnUTlzak51ZnJabVVMMXZ1c1UKMkNDNH\nh5RXdId1lEVlIwakJCZ3dGb0FVYnBnUTlzak51ZnJabVVMMXZ1c1UyQ0M0eHlFd0R3WURW\nUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmY01EZ2xvdj\nJuM0EreFFtSFFVdnVtT2Q2eDZkCkRmL2c1Wmd1TlpsQWJ6eGdqQWh1c0MrN1k0M3YvUE5R\ndkpWd0NpcU9wWVJGVnRIaXpnWWFJRFk0NzgxNXcrbEkKWnJEYm9FSEYvUnJmUFV1dkJrQz\nJsN0Z0aHIvWUxZOG4vbWl4bTZnd1RPM0JXZ0dwS3U4YTRLZWdZaXR6a1ljYQpGS29kNWF5\nWlBicE1XMW11RTdHMDNEQ2RqaTdidGw0K2pqYkFhVHZ0YlhCWFdpS3RDSld5RCtmQWFTV0\nx1dktoCm52U1JVWlhjeGsrMkFob3E3TW96NHNlZGFEZmtkejRqUHpuREV2ZXdoUzhDc0ZN\nUis3aFN6d3JETEg1Y0hueTgKMkdZYWI5a011MFdLZkFWZFZUcGpnQVF4T2ZkQUF6bDk0TV\nRCRnhBcFZ0eHczYmljQTRZdkZIVEQ0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K\n","service":{"name":"webhook","namespace":"pod-security-webhook"}},"failurePolicy":"Fail","name":"pod-security-webhook.kubernetes.io","namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["pod-security-webhook"]}]},"rules":[{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["namespaces","pods","pods/ephemeralcontainers"]}],"sideEffects":"None","timeoutSeconds":5},{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVR25IMV\nRFRFpxTWZnME9WNnBiQmpTd0ljY1Uwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RWhNQjhH\nQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1TFhkbFltaHZiMnN0WTJFdE1CNFhEVEl4TVRFeA\npNREl3TVRBeU9Wb1hEVE14TVRFd09ESXdNVEF5T1Zvd0l6RWhNQjhHQTFVRUF3d1ljRzlr\nTFhObFkzVnlhWFI1CkxYZGxZbWh2YjJzdFkyRXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRU\nZBQU9DQVE4QU1JSUJDZ0tDQVFFQTE2S0cKT3RWVkdGbGNrb0F5YWtEMWZubWNhRk5sMm5i\nUjNLWGxNdnA3U1ZpdXlYZ1RqN3VPQTdnZWVHbHhCSTJXZTROTwpoSHNYNjJDVUJTMTRtOU\n5DTEg1UXhHYmJYMzNLYnVCQU1yb1ZFUjAra0hvaE4vVVhzaml2YzlwSW9EemFPekg4CjR3\nR1FZRDZsek5vMXpGVFpweWx3QkVselZUUW9xZ2lkZ3BqbXFkaU5UUkRCWVFnL1NHZFYzQX\nRMS2JZVStyUnEKSmt3SE00dWsrL043YVZ3TWZ5QUlKZFJmbUlMbnF1alQ4bndIKzhxR3J4\nVW9xMTZJU2xBVXo1bVpwUWlvK2U0agpsY0hwVy81NzJsM0thMHcveWV0SmF1WGVVR1F5Q2\n9vNndicXZVWngrdjZiV1c4bzhVODFrTW51aHJKYjRuMHZkCkNNOVBFMTErQUUzTnoyVU5l\nd0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVYnBnUTlzak51ZnJabVVMMXZ1c1UKMkNDNH\nh5RXdId1lEVlIwakJCZ3dGb0FVYnBnUTlzak51ZnJabVVMMXZ1c1UyQ0M0eHlFd0R3WURW\nUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmY01EZ2xvdj\nJuM0EreFFtSFFVdnVtT2Q2eDZkCkRmL2c1Wmd1TlpsQWJ6eGdqQWh1c0MrN1k0M3YvUE5R\ndkpWd0NpcU9wWVJGVnRIaXpnWWFJRFk0NzgxNXcrbEkKWnJEYm9FSEYvUnJmUFV1dkJrQz\nJsN0Z0aHIvWUxZOG4vbWl4bTZnd1RPM0JXZ0dwS3U4YTRLZWdZaXR6a1ljYQpGS29kNWF5\nWlBicE1XMW11RTdHMDNEQ2RqaTdidGw0K2pqYkFhVHZ0YlhCWFdpS3RDSld5RCtmQWFTV0\nx1dktoCm52U1JVWlhjeGsrMkFob3E3TW96NHNlZGFEZmtkejRqUHpuREV2ZXdoUzhDc0ZN\nUis3aFN6d3JETEg1Y0hueTgKMkdZYWI5a011MFdLZkFWZFZUcGpnQVF4T2ZkQUF6bDk0TV\nRCRnhBcFZ0eHczYmljQTRZdkZIVEQ0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K\n","service":{"name":"webhook","namespace":"pod-security-webhook"}},"failurePolicy":"Ignore","name":"advisory.pod-security-webhook.kubernetes.io","namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["pod-security-webhook"]}]},"rules":[{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["podtemplates","replicationcontrollers"]},{"apiGroups":["apps"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","replicasets","statefulsets"]},{"apiGroups":["batch"],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["cronjobs","jobs"]}],"sideEffects":"None","timeoutSeconds":5}]} creationTimestamp: "2021-11-10T20:10:48Z" generation: 1 name: pod-security-webhook.kubernetes.io resourceVersion: "1559" uid: 328a2dd2-44b8-4d78-bc2d-97871b32d1e3 webhooks: - admissionReviewVersions: - v1 clientConfig: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVR25IMVRFRFpxTWZnME9WNnBiQmpTd0ljY1Uwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RWhNQjhHQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1TFhkbFltaHZiMnN0WTJFdE1CNFhEVEl4TVRFeApNREl3TVRBeU9Wb1hEVE14TVRFd09ESXdNVEF5T1Zvd0l6RWhNQjhHQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1CkxYZGxZbWh2YjJzdFkyRXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTE2S0cKT3RWVkdGbGNrb0F5YWtEMWZubWNhRk5sMm5iUjNLWGxNdnA3U1ZpdXlYZ1RqN3VPQTdnZWVHbHhCSTJXZTROTwpoSHNYNjJDVUJTMTRtOU5DTEg1UXhHYmJYMzNLYnVCQU1yb1ZFUjAra0hvaE4vVVhzaml2YzlwSW9EemFPekg4CjR3R1FZRDZsek5vMXpGVFpweWx3QkVselZUUW9xZ2lkZ3BqbXFkaU5UUkRCWVFnL1NHZFYzQXRMS2JZVStyUnEKSmt3SE00dWsrL043YVZ3TWZ5QUlKZFJmbUlMbnF1alQ4bndIKzhxR3J4VW9xMTZJU2xBVXo1bVpwUWlvK2U0agpsY0hwVy81NzJsM0thMHcveWV0SmF1WGVVR1F5Q29vNndicXZVWngrdjZiV1c4bzhVODFrTW51aHJKYjRuMHZkCkNNOVBFMTErQUUzTnoyVU5ld0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVYnBnUTlzak51ZnJabVVMMXZ1c1UKMkNDNHh5RXdId1lEVlIwakJCZ3dGb0FVYnBnUTlzak51ZnJabVVMMXZ1c1UyQ0M0eHlFd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmY01EZ2xvdjJuM0EreFFtSFFVdnVtT2Q2eDZkCkRmL2c1Wmd1TlpsQWJ6eGdqQWh1c0MrN1k0M3YvUE5RdkpWd0NpcU9wWVJGVnRIaXpnWWFJRFk0NzgxNXcrbEkKWnJEYm9FSEYvUnJmUFV1dkJrQzJsN0Z0aHIvWUxZOG4vbWl4bTZnd1RPM0JXZ0dwS3U4YTRLZWdZaXR6a1ljYQpGS29kNWF5WlBicE1XMW11RTdHMDNEQ2RqaTdidGw0K2pqYkFhVHZ0YlhCWFdpS3RDSld5RCtmQWFTV0x1dktoCm52U1JVWlhjeGsrMkFob3E3TW96NHNlZGFEZmtkejRqUHpuREV2ZXdoUzhDc0ZNUis3aFN6d3JETEg1Y0hueTgKMkdZYWI5a011MFdLZkFWZFZUcGpnQVF4T2ZkQUF6bDk0TVRCRnhBcFZ0eHczYmljQTRZdkZIVEQ0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K service: name: webhook namespace: pod-security-webhook port: 443 failurePolicy: Fail matchPolicy: Equivalent name: pod-security-webhook.kubernetes.io namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - pod-security-webhook objectSelector: {} rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - namespaces - pods - pods/ephemeralcontainers scope: '*' sideEffects: None timeoutSeconds: 5 - admissionReviewVersions: - v1 clientConfig: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVR25IMVRFRFpxTWZnME9WNnBiQmpTd0ljY1Uwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RWhNQjhHQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1TFhkbFltaHZiMnN0WTJFdE1CNFhEVEl4TVRFeApNREl3TVRBeU9Wb1hEVE14TVRFd09ESXdNVEF5T1Zvd0l6RWhNQjhHQTFVRUF3d1ljRzlrTFhObFkzVnlhWFI1CkxYZGxZbWh2YjJzdFkyRXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTE2S0cKT3RWVkdGbGNrb0F5YWtEMWZubWNhRk5sMm5iUjNLWGxNdnA3U1ZpdXlYZ1RqN3VPQTdnZWVHbHhCSTJXZTROTwpoSHNYNjJDVUJTMTRtOU5DTEg1UXhHYmJYMzNLYnVCQU1yb1ZFUjAra0hvaE4vVVhzaml2YzlwSW9EemFPekg4CjR3R1FZRDZsek5vMXpGVFpweWx3QkVselZUUW9xZ2lkZ3BqbXFkaU5UUkRCWVFnL1NHZFYzQXRMS2JZVStyUnEKSmt3SE00dWsrL043YVZ3TWZ5QUlKZFJmbUlMbnF1alQ4bndIKzhxR3J4VW9xMTZJU2xBVXo1bVpwUWlvK2U0agpsY0hwVy81NzJsM0thMHcveWV0SmF1WGVVR1F5Q29vNndicXZVWngrdjZiV1c4bzhVODFrTW51aHJKYjRuMHZkCkNNOVBFMTErQUUzTnoyVU5ld0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVYnBnUTlzak51ZnJabVVMMXZ1c1UKMkNDNHh5RXdId1lEVlIwakJCZ3dGb0FVYnBnUTlzak51ZnJabVVMMXZ1c1UyQ0M0eHlFd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmY01EZ2xvdjJuM0EreFFtSFFVdnVtT2Q2eDZkCkRmL2c1Wmd1TlpsQWJ6eGdqQWh1c0MrN1k0M3YvUE5RdkpWd0NpcU9wWVJGVnRIaXpnWWFJRFk0NzgxNXcrbEkKWnJEYm9FSEYvUnJmUFV1dkJrQzJsN0Z0aHIvWUxZOG4vbWl4bTZnd1RPM0JXZ0dwS3U4YTRLZWdZaXR6a1ljYQpGS29kNWF5WlBicE1XMW11RTdHMDNEQ2RqaTdidGw0K2pqYkFhVHZ0YlhCWFdpS3RDSld5RCtmQWFTV0x1dktoCm52U1JVWlhjeGsrMkFob3E3TW96NHNlZGFEZmtkejRqUHpuREV2ZXdoUzhDc0ZNUis3aFN6d3JETEg1Y0hueTgKMkdZYWI5a011MFdLZkFWZFZUcGpnQVF4T2ZkQUF6bDk0TVRCRnhBcFZ0eHczYmljQTRZdkZIVEQ0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K service: name: webhook namespace: pod-security-webhook port: 443 failurePolicy: Ignore matchPolicy: Equivalent name: advisory.pod-security-webhook.kubernetes.io namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - pod-security-webhook objectSelector: {} rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - podtemplates - replicationcontrollers scope: '*' - apiGroups: - apps apiVersions: - v1 operations: - CREATE - UPDATE resources: - daemonsets - deployments - replicasets - statefulsets scope: '*' - apiGroups: - batch apiVersions: - v1 operations: - CREATE - UPDATE resources: - cronjobs - jobs scope: '*' sideEffects: None timeoutSeconds: 5 ``` </details> ***Updated: with Kubernetes 1.23.0, PSA is enabled by default via API-server, where no webhook configurations needed.*** ## `PodSecurityConfiguration` Default Values In Kubernetes 1.23, the default level for all 3 modes(enforce, audit and warn) is set to `privileged`. Check [this](https://github.com/kubernetes/pod-security-admission/blob/49aebb9d71c69639bf406ac8c9acd416d5fa0b1f/webhook/manifests/20-configmap.yaml#L10-L26) file for default `PodSecurityConfiguration`. >*The Kubernetes Enhancement Proposal (KEP) hints at a future where `baseline` could be [the default for unlabeled namespaces](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md#rollout-of-baseline-by-default-for-unlabeled-namespaces), reference [link](https://deploy-preview-30502--kubernetes-io-main-staging.netlify.app/blog/2021/12/15/pod-security-admission-beta/#auditing).* ## Enforce Pod Security Standards for Namespaces ### Enforce existing Namespaces - For existing pods ``` # k label ns test pod-security.kubernetes.io/enforce=restricted Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest" Warning: pod: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile ``` ``` # k label --dry-run=server --overwrite ns test pod-security.kubernetes.io/enforce=restricted Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest" Warning: nginx-6799fc88d8-5nltb (and 2 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile ``` - For new pods ``` # k -n test create -f pod.yaml Error from server (Forbidden): error when creating "pod.yaml": admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "nginx" is forbidden: violates PodSecurity "restricted:v1.22": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod must not set securityContext.runAsNonRoot=false), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ``` - For new deployments ``` # k -n test create deploy test-psa --image=nginx deployment.apps/test-psa created # k -n test get deploy NAME READY UP-TO-DATE AVAILABLE AGE test-psa 0/1 0 0 8s ``` <details> ``` # k -n test get rs NAME DESIRED CURRENT READY AGE test-psa-77f9d567ff 1 0 0 11s # k -n test describe rs Name: test-psa-77f9d567ff Namespace: test Selector: app=test-psa,pod-template-hash=77f9d567ff Labels: app=test-psa pod-template-hash=77f9d567ff ... Conditions: Type Status Reason ---- ------ ------ ReplicaFailure True FailedCreate Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedCreate 20s replicaset-controller Error creating: admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "test-psa-77f9d567ff-69289" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ... Warning FailedCreate 18s replicaset-controller Error creating: admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "test-psa-77f9d567ff-6qvxw" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Warning FailedCreate 9s (x3 over 17s) replicaset-controller (combined from similar events): Error creating: admission webhook "pod-security-webhook.kubernetes.io" denied the request: pods "test-psa-77f9d567ff-c6gsk" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ``` </details> - Warnings ``` # kubectl label ns test pod-security.kubernetes.io/warn=restricted namespace/test labeled # k -n test create deploy nginx-2 --image=nginx Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") deployment.apps/nginx-2 created ```