I have created what seems like a standard set of RBAC policies and enabled the

PodSecurityPolicy

admission controller. I know how to create Roles and RoleBindings to allow my own service accounts (for example, a

deployer

account) to

use

the

privileged

policy to allow them to create pods and other actions.

Edit - I counted clusterroles instead of service accounts in my initial post. I have fixed this below.

There are 44 system service accounts in my cluster according to

kubectl get serviceaccount -A | grep system | wc -l

. Are the rules for each account already delineated? I could update each rule for them to

use

the

privileged

policy but that seems too heavy-handed.

Update - When the PSP admission controller is enabled,

kubectl

uses the

privileged

pod security policy. However, every other service account uses the

restricted

pop security policy. Each service account that needs elevated permissions needs to be updated in some way. But which service account needs which permission is not clear to me.

What I want to achieve: For each service account in the

kube-system

namespace, what permissions are needed so that I can follow the Principle of Least Privilege.

I am using Kubernetes v1.18.5 installed using KubeSpray. This cluster is running on AWS.