Kubernetes Pod Security Admission(PSA) 策略标签与违规验证实战

--- title: Kubernetes Pod Security Admission(PSA) 策略标签与违规验证实战 keywords: PSA, pod-security.kubernetes.io/enforce, baseline, restricted, warn, audit description: 通过为命名空间设置 PSA 标签，强制/告警/审计不同级别的安全策略，并以违规示例验证策略生效。 categories: - 文章资讯 - 技术教程 --- 为命名空间设置 PSA 标签： ``` kubectl create namespace secure kubectl label namespace secure \ pod-security.kubernetes.io/enforce=restricted \ pod-security.kubernetes.io/enforce-version=latest \ pod-security.kubernetes.io/warn=baseline \ pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/audit=baseline \ pod-security.kubernetes.io/audit-version=latest --overwrite ``` 违规示例（应被拒绝或告警）： ``` apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: secure spec: hostNetwork: true containers: - name: c image: busybox:1.36 securityContext: runAsUser: 0 command: ['sh','-c','sleep 3600'] ``` 验证结果（示例输出）： ``` kubectl apply -f bad.yaml # Error from server (Forbidden): ... violates PodSecurity "restricted:latest": # hostNetwork: unrestricted, runAsUser: 0 is not allowed ```