PodSecurityPolicy Operations: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
*[[Kubernetes_Pod_Security_Policy_Concepts#PodSecurityPolicy_Operations|Pod Security Policy Concepts]] | *[[Kubernetes_Pod_Security_Policy_Concepts#PodSecurityPolicy_Operations|Pod Security Policy Concepts]] | ||
=Get Deployed PodSecurityPolicies= | |||
<syntaxhighlight lang='bash'> | |||
kubectl get podsecuritypolicies | |||
</syntaxhighlight> | |||
This is the unique, cluster-wide list of pod security policies. | |||
=Associate a PodSecurityPolicy with a Service Account= | =Associate a PodSecurityPolicy with a Service Account= | ||
Create a Role that allows using the PodSecurityPolicy. Assuming that the name of the PodSecurityPolicy is "example", the role metadata should be similar to: | |||
<syntaxhighlight lang='yaml'> | |||
apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: Role | |||
metadata: | |||
name: access-to-podsecuritypolicy | |||
rules: | |||
- apiGroups: ['policy'] | |||
resources: ['podsecuritypolicies'] | |||
verbs: ['use'] | |||
resourceNames: | |||
- 'example' | |||
</syntaxhighlight> | |||
This is [[Kubernetes_RBAC_Operations#Create_a_Role|how to create a role]]. | |||
Create the RoleBinding that binds the service account to the role: | |||
<syntaxhighlight lang='yaml'> | |||
apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: RoleBinding | |||
metadata: | |||
name: access-to-podsecuritypolicy-test-serviceaccount-binding | |||
roleRef: | |||
kind: Role | |||
name: access-to-podsecuritypolicy | |||
apiGroup: rbac.authorization.k8s.io | |||
subjects: | |||
- kind: ServiceAccount | |||
name: test-serviceaccount | |||
namespace: default | |||
</syntaxhighlight> | |||
This is [[Kubernetes_RBAC_Operations#Create_a_Role_Binding|how to create a role binding]]. | |||
=Associate a PodSecurityPolicy with a User Account= | =Associate a PodSecurityPolicy with a User Account= | ||
{{External|https://kubernetes.io/docs/concepts/policy/pod-security-policy/#via-rbac}} | {{External|https://kubernetes.io/docs/concepts/policy/pod-security-policy/#via-rbac}} |
Latest revision as of 02:08, 5 September 2020
Internal
Get Deployed PodSecurityPolicies
kubectl get podsecuritypolicies
This is the unique, cluster-wide list of pod security policies.
Associate a PodSecurityPolicy with a Service Account
Create a Role that allows using the PodSecurityPolicy. Assuming that the name of the PodSecurityPolicy is "example", the role metadata should be similar to:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: access-to-podsecuritypolicy
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- 'example'
This is how to create a role.
Create the RoleBinding that binds the service account to the role:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: access-to-podsecuritypolicy-test-serviceaccount-binding
roleRef:
kind: Role
name: access-to-podsecuritypolicy
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: test-serviceaccount
namespace: default
This is how to create a role binding.