I have enabled podsecuritypolicy in minikube. By default it has created two psp - privileged and restricted.
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * restricted false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
I have also created a linux user - kubexz, for which I have created ClusterRole and RoleBinding to restrict for only managing pods on kubexz namespace, and use the restricted psp.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: only-edit rules: - apiGroups: [""] resources: ["pods"] verbs: ["create", "delete", "deletecollection", "patch", "update", "get", "list", "watch"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["restricted"] verbs: ["use"]
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: kubexz-rolebinding namespace: kubexz subjects: - kind: User name: kubexz roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: only-edit
I have set the kubeconfig file in my kubexz user $HOME/.kube. The RBAC is working fine - From kubexz user I am only able to create and manage pod resources in the kubexz namespace as expected.
But when I post a pod manifest with securityContext.privileged: true, the restricted podsecuritypolicy is not stopping me to create that pod. I should not be able to create a pod with privilege container. But the pod is getting created. Not sure what am I missing
apiVersion: v1 kind: Pod metadata: name: new-pod spec: hostPID: true containers: - name: justsleep image: alpine command: ["/bin/sleep", "999999"] securityContext: privileged: true