2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
.. ler1590089128119
|
|
|
|
|
|
.. _assign-pod-security-policies:
|
|
|
|
|
|
|
|
|
|
|
|
============================
|
|
|
|
|
|
Assign Pod Security Policies
|
|
|
|
|
|
============================
|
|
|
|
|
|
|
2023-07-17 02:16:07 -04:00
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
|
|
PodSecurityPolicy (PSP) ONLY applies if running on K8S v1.24 or earlier.
|
|
|
|
|
|
PodSecurityPolicy (PSP) is deprecated as of Kubernetes v1.21 and removed from K8S v1.25.
|
|
|
|
|
|
Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using
|
|
|
|
|
|
:ref:`Pod Security Admission Controller <pod-security-admission-controller-8e9e6994100f>`
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
This section describes Pod security policies for **cluster-admin users**,
|
|
|
|
|
|
and **non-cluster-admin users**.
|
|
|
|
|
|
|
|
|
|
|
|
.. contents::
|
|
|
|
|
|
:local:
|
|
|
|
|
|
:depth: 1
|
|
|
|
|
|
|
|
|
|
|
|
.. _assign-pod-security-policies-section-xyl-2vp-bmb:
|
|
|
|
|
|
|
|
|
|
|
|
-------------------
|
|
|
|
|
|
cluster-admin users
|
|
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
|
|
|
|
After enabling |PSP| checking, all users with **cluster-admin** roles can
|
2021-03-31 13:51:01 -04:00
|
|
|
|
directly create pods since they have access to the **privileged** |PSP|. Also,
|
|
|
|
|
|
based on the ClusterRoleBindings and RoleBindings automatically added by
|
|
|
|
|
|
|prod|, all users with cluster-admin roles can also create privileged
|
|
|
|
|
|
Deployment/ReplicaSets/etc. in the kube-system namespace and restricted
|
2021-04-19 00:22:38 -04:00
|
|
|
|
Deployment/ReplicaSets/etc. in any other namespace.
|
2021-03-31 13:51:01 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In order to enable privileged Deployment/ReplicaSets/etc. to be created in
|
|
|
|
|
|
another namespace, a role binding of a |PSP| role to
|
|
|
|
|
|
**system:serviceaccounts:kube-system** for the target namespace, is required.
|
|
|
|
|
|
However, this will enable *ANY* user with access to Deployments/ReplicaSets/etc
|
|
|
|
|
|
in this namespace to create privileged Deployments/ReplicaSets. The following
|
|
|
|
|
|
example describes the required RoleBinding to allow "creates" of privileged
|
|
|
|
|
|
Deployments/ReplicaSets/etc in the 'default' namespace for any user with access
|
|
|
|
|
|
to Deployments/ReplicaSets/etc. in the ‘default’ namespace.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
|
kind: RoleBinding
|
|
|
|
|
|
metadata:
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: default-privileged-psp-users
|
2020-08-31 11:01:56 -04:00
|
|
|
|
namespace: default
|
|
|
|
|
|
roleRef:
|
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
|
kind: ClusterRole
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: privileged-psp-user
|
2020-08-31 11:01:56 -04:00
|
|
|
|
subjects:
|
|
|
|
|
|
- kind: Group
|
|
|
|
|
|
name: system:serviceaccounts:kube-system
|
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. _assign-pod-security-policies-section-bm5-vxp-bmb:
|
|
|
|
|
|
|
|
|
|
|
|
-----------------------
|
|
|
|
|
|
non-cluster-admin users
|
|
|
|
|
|
-----------------------
|
|
|
|
|
|
|
2021-03-31 13:51:01 -04:00
|
|
|
|
Based on the ClusterRoleBindings and RoleBindings automatically added by
|
|
|
|
|
|
|prod|, non-cluster-admin users have at least restricted |PSP| privileges, for
|
|
|
|
|
|
both Pods and Deployment/ReplicaSets/etc., for any namespaces they have access
|
|
|
|
|
|
to based on other [Cluster]RoleBindings. If a non-cluster-admin user requires
|
|
|
|
|
|
privileged capabilities for the namespaces they have access to, they require a
|
|
|
|
|
|
new RoleBinding to the **privileged-psp-user** role to create pods directly.
|
|
|
|
|
|
For creating privileged pods through deployments/ReplicaSets/etc., the target
|
|
|
|
|
|
namespace being used will also require a RoleBinding for the corresponding
|
2023-02-28 14:02:05 +00:00
|
|
|
|
controller serviceAccounts in kube-system (or generally
|
|
|
|
|
|
**system:serviceaccounts:kube-system**).
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
|
|
|
|
|
|
#. Define the required RoleBinding for the user in the target namespace.
|
|
|
|
|
|
|
2021-03-31 13:51:01 -04:00
|
|
|
|
For example, the following RoleBinding assigns the 'privileged' |PSP|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
role to dave-user in the billing-dept-ns namespace, from the examples
|
|
|
|
|
|
in :ref:`Enable Pod Security Policy Checking
|
|
|
|
|
|
<enable-pod-security-policy-checking>`.
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
|
kind: RoleBinding
|
|
|
|
|
|
metadata:
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: dave-privileged-psp-users
|
2020-08-31 11:01:56 -04:00
|
|
|
|
namespace: billing-dept-ns
|
|
|
|
|
|
subjects:
|
|
|
|
|
|
- kind: ServiceAccount
|
|
|
|
|
|
name: dave-user
|
|
|
|
|
|
namespace: kube-system
|
|
|
|
|
|
roleRef:
|
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
|
kind: ClusterRole
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: privileged-psp-user
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
This will enable dave-user to create Pods in billing-dept-ns namespace
|
2021-03-31 13:51:01 -04:00
|
|
|
|
subject to the privileged |PSP| policy.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
#. Define the required RoleBinding for system:serviceaccounts:kube-system
|
|
|
|
|
|
in the target namespace.
|
|
|
|
|
|
|
2021-03-31 13:51:01 -04:00
|
|
|
|
For example, the following RoleBinding assigns the 'privileged' |PSP| to
|
2020-08-31 11:01:56 -04:00
|
|
|
|
all kube-system ServiceAccounts operating in billing-dept-ns namespace.
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
|
kind: RoleBinding
|
|
|
|
|
|
metadata:
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: billing-dept-ns-privileged-psp-users
|
2020-08-31 11:01:56 -04:00
|
|
|
|
namespace: billing-dept-ns
|
|
|
|
|
|
roleRef:
|
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
|
kind: ClusterRole
|
2021-03-31 13:51:01 -04:00
|
|
|
|
name: privileged-psp-user
|
2020-08-31 11:01:56 -04:00
|
|
|
|
subjects:
|
|
|
|
|
|
- kind: Group
|
|
|
|
|
|
name: system:serviceaccounts:kube-system
|
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
|
|
2021-03-31 13:51:01 -04:00
|
|
|
|
This will enable dave-user to create Deployments/ReplicaSets/etc. in
|
|
|
|
|
|
billing-dept-ns namespace subject to the privileged |PSP| policy.
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
