I've created an issue, since noone answered my question so far. Here is the Link: https://github.com/kubernetes/kubernetes/issues/51529
For fellows that face the same issue, the solution seems be: - run the controller-manager against the secure API endpoint. - create dedicated tokens/users/serviceaccounts for your controllers and bind them to your restricted PSP Role. Am Freitag, 11. August 2017 15:27:32 UTC+2 schrieb Gogene: > When I create a DaemonSet or a Deployment as a unprivileged User or an > unprivileged ServiceAccount (RBAC & PodSecurityPolicy) the > PodSecurityPolicys are being ignored, so it is possible to bypass the PSP > to create privileged Pods from DaemonSet and Deployments. > If the user tries to deploy a privileged Pod directly it's getting denied > by a forbidden message. > > The PodSecurityPolicys are kinda useless, when I have to grant our users > access to create ressources like DaemonSets/Deployments/ReplicaSets etc... > Is it possible to block this behavior with additional RBAC roles? Or is it > a bug and should I create an issue? > > Thanks in advance! > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
