K
Q

Kubernetes : clusterrolebinding for system:authenticated on specific namespaces

4/2/2020

I'm a bit confuse with PSP (Pods Security Policy) and RBAC on my Kubernetes cluster.

This cluster is currently used by many teams to build their CI/CD jobs. Each team has a dedicated namespace and we wants to denied them the possibility to launch privileged containers in the cluster.

Working with an EKS cluster, a default PSP is created by AWS that allows everything and is binded to every ressource in the cluster via the following clusterrolebinding :

kind: ClusterRoleBinding
metadata:
  name: eks:podsecuritypolicy:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: eks:podsecuritypolicy:privileged
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated

My goal is to keep the default AWS ClusterRole for all my "system" namespaces and apply a specific PSP "privileged containers disabled" to all project namespaces. this would allow me to eliminate the risks of applying a bad PSP on the system namespaces and broke my cluster.

I know that I can create a RoleBinding inside each system namespace

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-privileged
roleRef:
  kind: ClusterRole
  name: eks:podsecuritypolicy:privileged
  apiGroup: rbac.authorization.k8s.io
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated

But i wonder if I can do that with one clusterolebinding instead of many rolebinding ?

I hope I have been clear and thank you in advance for your possible answers!

-- Mystérieux Pot Géant
kubernetes
rbac

Similar Questions

Unknown host excpetion with jwk-set-uri (oauth2) in Springboot application
When setting up GKE internal load balancers why can I access the IP address from a separate VM but not within the cluster?
Grep command to extract a kubernetes pod name
Kubernetes on Google Cloud - Access pod port without port-forwarding

0 Answers