A security team wants to ensure that all pods in a namespace run with a restricted seccomp profile. Which Pod Security Standard admission controller mode should be used to enforce this without blocking necessary pods?
Trap 1: Use a mutating admission webhook to automatically add seccomp…
This does not enforce the policy; it only mutates.
Trap 2: Enable the PodSecurity admission plugin with the 'baseline' policy…
'baseline' does not require a restricted seccomp profile.
Trap 3: Enable the PodSecurity admission plugin with the 'restricted'…
'warn' only logs violations, does not block pods.
- A
Enable the PodSecurity admission plugin with the 'restricted' policy and 'enforce' mode
'enforce' blocks non-compliant pods, and 'restricted' requires seccomp.
- B
Use a mutating admission webhook to automatically add seccomp profiles
Why wrong: This does not enforce the policy; it only mutates.
- C
Enable the PodSecurity admission plugin with the 'baseline' policy and 'enforce' mode
Why wrong: 'baseline' does not require a restricted seccomp profile.
- D
Enable the PodSecurity admission plugin with the 'restricted' policy and 'warn' mode
Why wrong: 'warn' only logs violations, does not block pods.