@Mumshad Mannambeth @Vijin Palazhi on the PSP lecture it was mentioned that the . . .

Gaurav Karki:
@Mumshad Mannambeth @Vijin Palazhi on the PSP lecture it was mentioned that the service account running the pod need access to psp object. However on the psp lab, i donot see any rolebidnings,clusterrolebindgins that gives access to the psp, yet we were able to create the pod. Am i missing anything?

root@controlplane:~# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
    name: example-app
spec:
    containers:
        -
            name: example-app
            image: ubuntu
            command: ["sleep" , "3600"]
            securityContext:
              privileged: false
              runAsUser: 0
    serviceAccount: test
    serviceAccountName: test
    volumes:
    -   name: data-volume
        hostPath:
          path: '/data'
          type: Directory
root@controlplane:~# 
root@controlplane:~# kubectl create -f pod.yaml 
pod/example-app created
root@controlplane:~#root@controlplane:~# kubectl create -f pod.yaml 
pod/example-app created
root@controlplane:~#root@controlplane:~# kubectl get clusterrole | grep -i test
root@controlplane:~# kubectl get role | grep -i test
No resources found in default namespace.
root@controlplane:~# kubectl get <http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> | grep -i test
root@controlplane:~# kubectl get <http://rolebindings.rbac.authorization.k8s.io|rolebindings.rbac.authorization.k8s.io> | grep -i test
No resources found in default namespace.
root@controlplane:~# root@controlplane:~# kubectl get clusterrole | grep -i test
root@controlplane:~# kubectl get role | grep -i test
No resources found in default namespace.
root@controlplane:~# kubectl get <http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> | grep -i test
root@controlplane:~# kubectl get <http://rolebindings.rbac.authorization.k8s.io|rolebindings.rbac.authorization.k8s.io> | grep -i test
No resources found in default namespace.

root@controlplane:~#

Barahalikar Siddharth:
Pod creation was successful because you are creating the pod as an admin(role) which has access to everything.

If you try to create a Deployment, the Pod will not be created because in this case it is the deployment/replication controller which tries to create a pod and it doesn’t have permission to access the PSP object.

We need roles/bindings if you are trying to create deployments.

Gaurav Karki:
Thank @Barahalikar Siddharth for the explanation. Now i understand why

alias kubectl-admin='kubectl -n psp-example'
alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Gaurav Karki:
Also ErrorMessage when the role doesnot have right permission Events:
Type Reason Age From Message

Warning FailedCreate 6s (x12 over 16s) replicaset-controller Error creating: pods “pod-deploy-66569f9bf-” is forbidden: PodSecurityPolicy: unable to admit pod: []

Gaurav Karki:
when the pod has correct permission but is blocked by PSP, the error message is more detailed Events:
Type Reason Age From Message

Warning FailedCreate 48s (x16 over 3m32s) replicaset-controller Error creating: pods “pod-deploy-595f796549-” is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.capabilities.add: Invalid value: “CAP_SYS_BOOT”: capability may not be added]
root@controlplane:~#