I have created what seems like a standard set of RBAC policies and enabled the PodSecurityPolicy
admission controller. I know how to create Roles and RoleBindings to allow my own service accounts (for example, a deployer
account) to use
the privileged
policy to allow them to create pods and other actions.
Edit - I counted clusterroles instead of service accounts in my initial post. I have fixed this below.
There are 44 system service accounts in my cluster according to kubectl get serviceaccount -A | grep system | wc -l
. Are the rules for each account already delineated? I could update each rule for them to use
the privileged
policy but that seems too heavy-handed.
Update - When the PSP admission controller is enabled, kubectl
uses the privileged
pod security policy. However, every other service account
uses the restricted
pop security policy. Each service account that needs elevated permissions needs to be updated in some way. But which service account needs which permission is not clear to me.
What I want to achieve: For each service account in the kube-system
namespace, what permissions are needed so that I can follow the Principle of Least Privilege.
I am using Kubernetes v1.18.5 installed using KubeSpray. This cluster is running on AWS.