


Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.

Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.

Create a new ServiceAccount named psp-sa in the namespace restricted.

Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy

Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.


Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.

POD Manifest:

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:

✑ spec:

✑ containers:

✑ – name:

✑ image:

✑ volumeMounts:

✑ – name:

✑ mountPath:

✑ volumes:

✑ – name:

✑ secret:

✑ secretName:

Answer: apiVersion: policy/v1beta1

kind: PodSecurityPolicy


name: restricted




apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’

seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘runtime/default’

apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’


privileged: false

# Required to prevent escalations to root. allowPrivilegeEscalation: false

# This is redundant with non-root + disallow privilege escalation,

# but we can provide it for defense in depth. requiredDropCapabilities:


# Allow core volume types.


– ‘configMap’

– ’emptyDir’

– ‘projected’

– ‘secret’

– ‘downwardAPI’

# Assume that persistentVolumes set up by the cluster admin are safe to use. – ‘persistentVolumeClaim’

hostNetwork: false

hostIPC: false

hostPID: false runAsUser:

# Require the container to run without root privileges.

rule: ‘MustRunAsNonRoot’


# This policy assumes the nodes are using AppArmor rather than SELinux. rule: ‘RunAsAny’

supplementalGroups: rule: ‘MustRunAs’ ranges:

# Forbid adding the root group.

– min: 1 max: 65535 fsGroup:

rule: ‘MustRunAs’ ranges:

# Forbid adding the root group. – min: 1

max: 65535

readOnlyRootFilesystem: false

