How can I apply a PSP (PodSecurityPolicy) only for the kube-system namespace and another PSP for all the other containers?
Pod security policies are a cluster level resource so there is no current way to do what you need in vanilla Kubernetes.
However Rancher adds a concept of Projects to the cluster and you can apply Pod Security policies to Projects.
NOTE - They still recommend using Pod Security Polices at a cluster level.
Alternatively @Crou's answer is also a good choice to implement it via RBAC and RoleBindings
As we can read in the Kubernetes documentation about Pod Security Policies.
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The
PodSecurityPolicyobjects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
You should use RBAC and setup Role which will use desired PSP.
If a
RoleBinding(not aClusterRoleBinding) is used, it will only grant usage for pods being run in the same namespace as the binding. This can be paired with system groups to grant access to all pods run in the namespace:
# Authorize all service accounts in a namespace:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:serviceaccounts
# Or equivalently, all authenticated users in a namespace:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticatedYou should also check out Using PodSecurityPolicies and Kubernetes: Assigning Pod Security Policies with RBAC.
Hope this helps.