EPISODE · Sep 9, 2025 · 13 MIN
Kyverno Pod Security: Allowing NET_RAW for Legacy Apps
from DevOps & Cloud Interview Questions and Answers - Part 1 · host devopsinterviewcloud
When legacy workloads need NET_RAW, blanket Pod Security Admission enforcement breaks them — this episode walks through using Kyverno mutation policies to handle the exception without weakening your cluster-wide baseline. You'll learn: Why NET_RAW is dropped by the Kubernetes restricted and baseline PSA profiles and what that breaks in practice How to write a Kyverno mutate policy that injects a securityContext exception for specific legacy workloads Namespace-scoping strategies so your mutation doesn't accidentally widen the attack surface cluster-wide How to test policy enforcement with kubectl --dry-run and Kyverno's CLI before rolling to production Common gotchas: policy ordering, admission webhook conflicts, and audit vs enforce mode differences Keywords: Kyverno mutation policy, Pod Security Admission NET_RAW, Kubernetes pod security, PSA legacy workloads, Kyverno securityContext 🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud
What this episode covers
When legacy workloads need NET_RAW, blanket Pod Security Admission enforcement breaks them — this episode walks through using Kyverno mutation policies to handle the exception without weakening your cluster-wide baseline.You'll learn:Why NET_RAW is dropped by the Kubernetes restricted and baseline PSA profiles and what that breaks in practiceHow to write a Kyverno mutate policy that injects a securityContext exception for specific legacy workloadsNamespace-scoping strategies so your mutation doesn't accidentally widen the attack surface cluster-wideHow to test policy enforcement with kubectl --dry-run and Kyverno's CLI before rolling to productionCommon gotchas: policy ordering, admission webhook conflicts, and audit vs enforce mode differencesKeywords: Kyverno mutation policy, Pod Security Admission NET_RAW, Kubernetes pod security, PSA legacy workloads, Kyverno securityContext🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud
NOW PLAYING
Kyverno Pod Security: Allowing NET_RAW for Legacy Apps
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m