Question 19
Domain 6: Security, RBAC & ConfigurationWhich Kubernetes mechanism enforces Pod Security Standards such as restricted, baseline, and privileged at the namespace level?
Correct answer: A
Explanation
Pod Security Admission enforces Pod Security Standards at the namespace level by reading namespace labels such as "pod-security.kubernetes.io/enforce". These labels select the policy level—"privileged", "baseline", or "restricted"—so pods in that namespace must meet the chosen standard.
Why each option is right or wrong
A. Namespace labels using Pod Security admission controls
Kubernetes Pod Security Admission (PSA), introduced in v1.25 to replace the removed PodSecurityPolicy, applies Pod Security Standards by evaluating namespace labels such as `pod-security.kubernetes.io/enforce`, `pod-security.kubernetes.io/audit`, and `pod-security.kubernetes.io/warn`. The label value selects one of the three standard levels—`privileged`, `baseline`, or `restricted`—and the admission controller then enforces that policy for pods created in that namespace.
B. PodSecurityPolicy objects bound to service accounts
C. SecurityContext fields defined only on individual containers
D. NetworkPolicy rules applied to each pod