Hi, I have followed the example https://github.com/kubernetes/kubernetes/tree/master/examples/podsecuritypolicy/rbac to use PodSecurityPolicy. But it seems not working in my env. Restricted users/group/serviceaccount still can launch privileged Pod.
apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: privileged spec: fsGroup: rule: RunAsAny privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - '*' --- apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - 'emptyDir' - 'secret' - 'downwardAPI' - 'configMap' - 'persistentVolumeClaim' - 'projected' # privilegedPSP gives the privilegedPSP role # to the group privileged. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: privileged-psp-users subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: privileged-psp-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: privileged-psp-user --- # restrictedPSP grants the restrictedPSP role to # the groups restricted and privileged. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: restricted-psp-users subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: restricted-psp-users - kind: Group apiGroup: rbac.authorization.k8s.io name: privileged-psp-users - kind: ServiceAccount name: default namespace: restricted-psp-users - kind: User name: restricted apiGroup: rbac.authorization.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: restricted-psp-user apiVersion: v1 kind: Pod metadata: name: nginx namespace: restricted-psp-user labels: name: nginx spec: serviceAccountName: default containers: - name: nginx image: nginx ports: - containerPort: 80 securityContext: privileged: true --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,PodSecurityPolicy,DefaultTolerationSeconds >From log of apiserver, user from restricted-psp-users still can get matching psp privileged and restricted. Can anyone point to me how to debug the problem? Regards Liqiang Lin -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.