starlingx/docs
Code Issues Proposed changes
Files
7c82fac67ade8b16f95c84b24de4c677665cf57a
docs/doc/source/security/kubernetes/assign-pod-security-policies.rst
Juanita-Balaraj 63cd4f5fdc CephFS RWX Support in Host-based Ceph 
Incorporated patchset 1 review comments
Updated patchset 5 review comments
Updated patchset 6 review comments
Fixed merge conflicts
Updated patchset 8 review comments

Change-Id: Icd7b08ab69273f6073b960a13cf59905532f851a
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
2021-05-03 16:39:45 -04:00

128 lines
4.3 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. ler1590089128119
.. _assign-pod-security-policies:
============================
Assign Pod Security Policies
============================
This section describes Pod security policies for **cluster-admin users**,
and **non-cluster-admin users**.
.. contents::
:local:
:depth: 1
.. _assign-pod-security-policies-section-xyl-2vp-bmb:
-------------------
cluster-admin users
-------------------
After enabling |PSP| checking, all users with **cluster-admin** roles can
directly create pods since they have access to the **privileged** |PSP|. Also,
based on the ClusterRoleBindings and RoleBindings automatically added by
|prod|, all users with cluster-admin roles can also create privileged
Deployment/ReplicaSets/etc. in the kube-system namespace and restricted
Deployment/ReplicaSets/etc. in any other namespace.
In order to enable privileged Deployment/ReplicaSets/etc. to be created in
another namespace, a role binding of a |PSP| role to
**system:serviceaccounts:kube-system** for the target namespace, is required.
However, this will enable *ANY* user with access to Deployments/ReplicaSets/etc
in this namespace to create privileged Deployments/ReplicaSets. The following
example describes the required RoleBinding to allow "creates" of privileged
Deployments/ReplicaSets/etc in the 'default' namespace for any user with access
to Deployments/ReplicaSets/etc. in the default namespace.
.. code-block:: none
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-privileged-psp-users
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp-user
subjects:
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
.. _assign-pod-security-policies-section-bm5-vxp-bmb:
-----------------------
non-cluster-admin users
-----------------------
Based on the ClusterRoleBindings and RoleBindings automatically added by
|prod|, non-cluster-admin users have at least restricted |PSP| privileges, for
both Pods and Deployment/ReplicaSets/etc., for any namespaces they have access
to based on other [Cluster]RoleBindings. If a non-cluster-admin user requires
privileged capabilities for the namespaces they have access to, they require a
new RoleBinding to the **privileged-psp-user** role to create pods directly.
For creating privileged pods through deployments/ReplicaSets/etc., the target
namespace being used will also require a RoleBinding for the corresponding
controller serviceAccounts in kube-system \(or generally
**system:serviceaccounts:kube-system**\).
.. rubric:: |proc|
#. Define the required RoleBinding for the user in the target namespace.
For example, the following RoleBinding assigns the 'privileged' |PSP|
role to dave-user in the billing-dept-ns namespace, from the examples
in :ref:`Enable Pod Security Policy Checking
<enable-pod-security-policy-checking>`.
.. code-block:: none
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dave-privileged-psp-users
namespace: billing-dept-ns
subjects:
- kind: ServiceAccount
name: dave-user
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp-user
This will enable dave-user to create Pods in billing-dept-ns namespace
subject to the privileged |PSP| policy.
#. Define the required RoleBinding for system:serviceaccounts:kube-system
in the target namespace.
For example, the following RoleBinding assigns the 'privileged' |PSP| to
all kube-system ServiceAccounts operating in billing-dept-ns namespace.
.. code-block:: none
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: billing-dept-ns-privileged-psp-users
namespace: billing-dept-ns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp-user
subjects:
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
This will enable dave-user to create Deployments/ReplicaSets/etc. in
billing-dept-ns namespace subject to the privileged |PSP| policy.
View Git Blame Copy Permalink