DevOps & Cloud Interview Prep: Real Scenarios & Answers

Kyverno Pod Security: Allowing NET_RAW for Legacy Apps

Listen Later

When legacy workloads need NET_RAW, blanket Pod Security Admission enforcement breaks them — this episode walks through using Kyverno mutation policies to handle the exception without weakening your cluster-wide baseline.

You'll learn:

  • Why NET_RAW is dropped by the Kubernetes restricted and baseline PSA profiles and what that breaks in practice
  • How to write a Kyverno mutate policy that injects a securityContext exception for specific legacy workloads
  • Namespace-scoping strategies so your mutation doesn't accidentally widen the attack surface cluster-wide
  • How to test policy enforcement with kubectl --dry-run and Kyverno's CLI before rolling to production
  • Common gotchas: policy ordering, admission webhook conflicts, and audit vs enforce mode differences

    • Keywords: Kyverno mutation policy, Pod Security Admission NET_RAW, Kubernetes pod security, PSA legacy workloads, Kyverno securityContext

    🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud

    ...more
    View all episodesView all episodes
    Download on the App Store
    DevOps & Cloud Interview Prep: Real Scenarios & AnswersBy https://DevOpsInterview.Cloud