Back to all scenarios
Scenario #42
Cluster Management
K8s v1.22, AWS EKS

Failed Pod Security Policy Enforcement Causing Privileged Container Launch

Privileged containers were able to run despite Pod Security Policy enforcement.

Find this helpful?
What Happened

A container was able to run as privileged despite a restrictive PodSecurityPolicy being in place.

Diagnosis Steps
  • 1Checked pod events and logs, found no violations of PodSecurityPolicy.
  • 2Verified PodSecurityPolicy settings and namespace annotations.
Root Cause

PodSecurityPolicy was not enforced due to missing podsecuritypolicy admission controller.

Fix/Workaround
• Enabled the podsecuritypolicy admission controller.
• Updated the PodSecurityPolicy to restrict privileged containers.
Lessons Learned

Admission controllers must be properly configured for security policies to be enforced.

How to Avoid
  • 1Double-check admission controller configurations during initial cluster setup.
  • 2Regularly audit security policies and admission controllers.
Previous ScenarioNext Scenario