With PodSecurityPolicy enabled, do I need to give all 44 system service accounts the "use" verb for the "privileged" policy?

8/2/2020

I have created what seems like a standard set of RBAC policies and enabled the PodSecurityPolicy admission controller. I know how to create Roles and RoleBindings to allow my own service accounts (for example, a deployer account) to use the privileged policy to allow them to create pods and other actions.

Edit - I counted clusterroles instead of service accounts in my initial post. I have fixed this below.

There are 44 system service accounts in my cluster according to kubectl get serviceaccount -A | grep system | wc -l. Are the rules for each account already delineated? I could update each rule for them to use the privileged policy but that seems too heavy-handed.

Update - When the PSP admission controller is enabled, kubectl uses the privileged pod security policy. However, every other service account uses the restricted pop security policy. Each service account that needs elevated permissions needs to be updated in some way. But which service account needs which permission is not clear to me.

What I want to achieve: For each service account in the kube-system namespace, what permissions are needed so that I can follow the Principle of Least Privilege.

I am using Kubernetes v1.18.5 installed using KubeSpray. This cluster is running on AWS.

-- David Medinets
kubernetes
rbac

0 Answers