[kubernetes-users] How to use PodSecurityPolicy

Thu, 06 Jul 2017 20:23:43 -0700 

Hi,

I have followed the example 
https://github.com/kubernetes/kubernetes/tree/master/examples/podsecuritypolicy/rbac
 
to use PodSecurityPolicy. But it seems not working in my env. Restricted 
users/group/serviceaccount still can launch privileged Pod.

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
spec:
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  fsGroup:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - 'emptyDir'
  - 'secret'
  - 'downwardAPI'
  - 'configMap'
  - 'persistentVolumeClaim'
  - 'projected'


# privilegedPSP gives the privilegedPSP role
# to the group privileged.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
    name: privileged-psp-users
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: privileged-psp-users
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: privileged-psp-user
---
# restrictedPSP grants the restrictedPSP role to
# the groups restricted and privileged.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
    name: restricted-psp-users
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: restricted-psp-users
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: privileged-psp-users
- kind: ServiceAccount
  name: default
  namespace: restricted-psp-users
- kind: User
  name: restricted
  apiGroup: rbac.authorization.k8s.io
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: restricted-psp-user

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: restricted-psp-user
  labels:
    name: nginx
spec:
  serviceAccountName: default
  containers:
  - name: nginx
    image: nginx
    ports:
    - containerPort: 80
    securityContext:

      privileged: true

--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,PodSecurityPolicy,DefaultTolerationSeconds

>From log of apiserver, user from restricted-psp-users still can get 
matching psp privileged and restricted. Can anyone point to me how to debug 
the problem?
 
Regards
Liqiang Lin

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to