Minor Usability Enhancement to Default Pod Security Policies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Carmen Rata |
Bug Description
Brief Description
-----------------
Currently we create the following when we turn on PSP
- We create some default PSP policies: privileged and restricted
- We create some corresponding roles for these: privileged-psp-user and restricted-psp-user
- AND
o We BIND ALL kube-system serviceaccounts to privileged-psp-user for kube-system namespace, and
o We BIND ALL kube-system serviceaccounts to privileged-psp-user for APPLICATION-
I’d like to add the following ClusterRoleBind
- In order to be able to, by default, create deployments with ‘restricted’ capabilities in your namespace
o ClusterRoleBinding of system:
§ Applies to all namespaces, but user will only be able to access this if his other RBAC permissions enable access to a deployment in a namespace.
- In order to be able to, by default, create pods with ‘restricted’ capabilities in your namespace
o ClusterRoleBinding of system:
Severity
--------
USABILITY ... <Minor: System/Feature is usable with minor issue>
Steps to Reproduce
------------------
Turn on PSP and try to create a deployment as non- cluster-admin.
Expected Behavior
------------------
Would be good to give everyone at least 'restricted' capabilities
Actual Behavior
----------------
Non- cluster-admins can do nothing.
Reproducibility
---------------
100%
System Configuration
-------
All systems.
Branch/Pull Time/Commit
-------
NA
Last Pass
---------
NA
Timestamp/Logs
--------------
NA
Test Activity
-------------
Evaluation
Workaround
----------
create the clusterrolebindings yourself
Changed in starlingx: | |
status: | Triaged → In Progress |
Changed in starlingx: | |
status: | In Progress → Fix Released |
stx.5.0 - usability improvements that should be considered for the next release.