Pod security policy control is implemented as an optional (but recommended) admission controller. PodSecurityPolicies are enforced by enabling the admission controller, but doing so without authorizing any policies will prevent any pods from being created in the cluster.
Since the pod security policy API (policy/v1beta1/podsecuritypolicy) is enabled independently of the admission controller, for existing clusters it is recommended that policies are added and authorized before enabling the admission controller.
Question:
I need to create a cluster , and then later define a pod security policy to restrict an account/credential to run pods in restricted manner.
Does this will apply to that particular account or all the pods in the cluster? I prefer to keep the default admin account unrestricted while allow only a fix uid/gid for that particular user account to run pods.
I just doubt that if I restrict the pods to runAs only a fix uid/gid , it may break things in the cluster?
How to apply a pod security policy to all the users/service accounts in all the namespaces ( existing and new ) , except cluster admin
Following this post:
https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754
Turns out that I can create two PSPs:
Privileged
Restricted
Admin has access to both of them by default , but they are assigned alphabetically so I can name them like:
01-Privileged
and
100-Restricted
So for Admin , the effective one will be the first one.
For normal users , I will just assign the restricted one through clusterRole and Rolebinding for all authenticated users.
But it turns out that applying PSP to user accounts works for creating simple pods , but if they try to create replicasets as part of deployments , it won't work , and we need to assign the policy to pod service accounts as well.