pod-security-admission can run on kind clusters using Docker.
If you don't have your Kubernetes cluster, setup kind, then run:
$ kind create clusterIn order to use Admission Webhook, a certificate is required. Let's install cert-manager: a native Kubernetes certificate management controller. Please see the document for details.
To make the system namespaces privileged, label those namespaces:
$ kubectl label namespace/kube-system pod-security.cybozu.com/policy=privileged
$ kubectl label namespace/cert-manager pod-security.cybozu.com/policy=privilegedDeploy pod-security-admission:
$ helm repo add pod-security-admission https://cybozu-go.github.io/pod-security-admission
$ helm template pod-security-admission pod-security-admission/pod-security-admissionNow if you create a Pod that violates the policy, it will be rejected.
$ kubectl apply -f hooks/testdata/baseline/additional-capability.yaml
Error from server (spec.containers[0].securityContext.capabilities.add[1]: Forbidden: Adding capability SYSLOG is not allowed): error when creating "hooks/testdata/baseline/additional-capability.yaml": admission webhook "baseline.vpod.kb.io" denied the request: spec.containers[0].securityContext.capabilities.add[1]: Forbidden: Adding capability SYSLOG is not allowed