PodSecurityPolicy Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
Line 26: Line 26:
   - 'example'
   - 'example'
</syntaxhighlight>
</syntaxhighlight>
This is [[Kubernetes_RBAC_Operations#Create_a_Role|how to create a role]].


Create the RoleBinding that binds the service account to the role:
Create the RoleBinding that binds the service account to the role:
Line 42: Line 44:
   namespace: default
   namespace: default
</syntaxhighlight>
</syntaxhighlight>
This is [[Kubernetes_RBAC_Operations#Create_a_Role_Binding|how to create a role binding]].


=Associate a PodSecurityPolicy with a User Account=
=Associate a PodSecurityPolicy with a User Account=
{{External|https://kubernetes.io/docs/concepts/policy/pod-security-policy/#via-rbac}}
{{External|https://kubernetes.io/docs/concepts/policy/pod-security-policy/#via-rbac}}

Latest revision as of 02:08, 5 September 2020

Internal

Get Deployed PodSecurityPolicies

kubectl get podsecuritypolicies

This is the unique, cluster-wide list of pod security policies.

Associate a PodSecurityPolicy with a Service Account

Create a Role that allows using the PodSecurityPolicy. Assuming that the name of the PodSecurityPolicy is "example", the role metadata should be similar to:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-podsecuritypolicy
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - 'example'

This is how to create a role.

Create the RoleBinding that binds the service account to the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-podsecuritypolicy-test-serviceaccount-binding
roleRef:
  kind: Role
  name: access-to-podsecuritypolicy
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: test-serviceaccount
  namespace: default

This is how to create a role binding.

Associate a PodSecurityPolicy with a User Account

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#via-rbac