Hi All, While trying out the pod security example , unprivileged user is able to create privileged pod. Followed this example , https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Based on documentation and searching found this, controller manager must run against the secured port, as a user with no PSP permissions (ideally by using the --use-service-account-credentials option) Following are my configurations for controller manager and apiserver /hyperkube controller-manager --kubeconfig=/etc/kubernetes/kube-controller-manager-kubeconfig.yaml --leader-elect=true --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem --root-ca-file=/etc/kubernetes/ssl/ca.pem --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem --enable-hostpath-provisioner=false --node-monitor-grace-period=40s --node-monitor-period=5s --pod-eviction-timeout=5m0s --profiling=false --terminated-pod-gc-threshold=500 --v=2 --use-service-account-credentials=true --cloud-provider=aws --feature-gates=Initializers=False,PersistentLocalVolumes=False /hyperkube apiserver --advertise-address=10.250.168.104 --etcd-servers=https://10.250.168.59:2379 --etcd-cafile=/etc/ssl/etcd/ssl/ca.pem --etcd-certfile=/etc/ssl/etcd/ssl/node-rohsing2-elk153-master0.pem --etcd-keyfile=/etc/ssl/etcd/ssl/node-rohsing2-elk153-master0-key.pem --insecure-bind-address=127.0.0.1 --bind-address=0.0.0.0 --apiserver-count=1 --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ValidatingAdmissionWebhook,ResourceQuota,PodSecurityPolicy --service-cluster-ip-range=10.233.0.0/18 --service-node-port-range=30000-32767 --client-ca-file=/etc/kubernetes/ssl/ca.pem --profiling=false --repair-malformed-updates=false --kubelet-client-certificate=/etc/kubernetes/ssl/node-rohsing2-elk153-master0.pem --kubelet-client-key=/etc/kubernetes/ssl/node-rohsing2-elk153-master0-key.pem --service-account-lookup=true --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem --proxy-client-cert-file=/etc/kubernetes/ssl/apiserver.pem --proxy-client-key-file=/etc/kubernetes/ssl/apiserver-key.pem --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem --secure-port=6443 --storage-backend=etcd3 --runtime-config=admissionregistration.k8s.io/v1alpha1,extensions/v1beta1/podsecuritypolicy=true --v=2 --allow-privileged=true --cloud-provider=aws --anonymous-auth=True --authorization-mode=Node,RBAC --experimental-encryption-provider-config=/etc/kubernetes/ssl/secrets_encryption.yaml --feature-gates=Initializers=False,PersistentLocalVolumes=False --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem --requestheader-allowed-names=front-proxy-client --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --enable-aggregator-routing=True --proxy-client-cert-file=/etc/kubernetes/ssl/front-proxy-client.pem --proxy-client-key-file=/etc/kubernetes/ssl/front-proxy-client-key.pem I am using the use-service-account-credentials options as well as controller is being run against secured port Based on above documentation out put of following command is no but i get yes kubectl-user auth can-i use podsecuritypolicy/example yes Also if i try to run further examples kubectl-user run pause --image=k8s.gcr.io/pause Following error is seen in logs Warning FailedCreate 15s (x13 over 36s) replicaset-controller Error creating: pods "pause-67fddf7c44-" is forbidden: unable to validate against any pod security policy: [] But policy is present in system kubectl get psp NAME DATA CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES example false [] RunAsAny RunAsAny RunAsAny RunAsAny false [*] What could be the problem, please suggest -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
