K
Q

k8s - prevent pods to use some service accounts

12/12/2018

I have configured Pod Security Policies on my cluster, which prevents Pods run as root.

However, if any deployment uses a tiller service account, they can start pods as root, basically, they are full admin, no Pod Security Policies restrictions.

Is there a way to restrict which service accounts pods can use?

-- atlus
kubernetes
rbac

Similar Questions

How to identify Kubernetes Active Replica Pod Name
Kubernetes resource reservation per namespace
Kubernetes runAsUser create home directory
Azure AKS Client Secret expired - How to change?

1 Answer

12/13/2018

Yeah, it is possible.

You should Bind a Role/ClusterRole.

Example:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Nice to read:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

https://docs.giantswarm.io/guides/securing-with-rbac-and-psp/

--
Source: StackOverflow