I have created what seems like a standard set of RBAC policies and enabled the
PodSecurityPolicy admission controller. I know how to create Roles and RoleBindings to allow my own service accounts (for example, a
deployer account) to
privileged policy to allow them to create pods and other actions.
Edit - I counted clusterroles instead of service accounts in my initial post. I have fixed this below.
There are 44 system service accounts in my cluster according to
kubectl get serviceaccount -A | grep system | wc -l. Are the rules for each account already delineated? I could update each rule for them to
privileged policy but that seems too heavy-handed.
Update - When the PSP admission controller is enabled,
kubectl uses the
privileged pod security policy. However, every other service account
restricted pop security policy. Each service account that needs elevated permissions needs to be updated in some way. But which service account needs which permission is not clear to me.
What I want to achieve: For each service account in the
kube-system namespace, what permissions are needed so that I can follow the Principle of Least Privilege.
I am using Kubernetes v1.18.5 installed using KubeSpray. This cluster is running on AWS.