When I create a DaemonSet or a Deployment as a unprivileged User or an 
unprivileged ServiceAccount (RBAC & PodSecurityPolicy) the 
PodSecurityPolicys are being ignored, so it is possible to bypass the PSP 
to create privileged Pods from DaemonSet and Deployments.
If the user tries to deploy a privileged Pod directly it's getting denied 
by a forbidden message.

The PodSecurityPolicys are kinda useless, when I have to grant our users 
access to create ressources like DaemonSets/Deployments/ReplicaSets etc...
Is it possible to block this behavior with additional RBAC roles? Or is it 
a bug and should I create an issue?

Thanks in advance!

You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to