I'm trying to use PodSecurityPolicy to harden my cluster. I created 2 Pod Security Policies, one is default which allows minimal privilege and the other one is restricted which allows all privileges of a pod can request by SecurityContext. The default one can be used by any service account, the restricted one can only be used by some service accounts.

As said in the official document, "most Kubernetes pods are not created directly by users. Instead, they are typically created indirectly as part of a Deployment, ReplicaSet, or other templated controller via the controller manager. Granting the controller access to the policy would grant access for all pods created by that the controller, so the preferred method for authorizing policies is to grant access to the pod’s service account". But it seems any user has permissions to create deployment can specify any service account in the yaml by spec.ServiceAccountName. That means as long as some naughty one knows the service account name that has access to the restricted PodSecurityPolicy, he can create a pod with that service account which will allow this pod to get escalated privileges. Then he can do anything in the pod.

So is there a way to prevent misuse of service account in a pod? For example, if a user wants to create a pod with a service account which he doesn't have permission to use, the apiserver would block the request.

Can anyone give any ideas? Thanks!