Working on a single node Kubernetes cluster, I wish to apply a restrictive pod security policy to a group of users authenticated via openid. So the sequence of steps are like this.
- Initialize the cluster, and create the pod security policies.
- Apply the admission controller
PodSecurityPolicyin API server (which causes an API server restart) - Create a
ClusterRoleandRoleBindingfor the users.
The authentication of users via openid and fetching their group works good, however, limiting the PodSecurityPolicy to this group doesn't work. Example ClusterRole and RoleBinding given below. If I use system:authenticated instead of mygroup the policy is picked up for new pod creations.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restricted # the psp we are giving access to
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
subjects:
- kind: Group
name: mygroup # My group from openid, DOESN'T WORK.
# name: system:authenticated # all authenticated users, WORKS.
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp:restricted # A references to the role above
apiGroup: rbac.authorization.k8s.io
- How to do the pod security policy
RoleBindingto a specific group? Are there any errors in my steps above. I have otherRoleBindings on this group which works perfectly fine. - A second problem is that Flannel pod fails to come up, as it seems to pick up the restrictive policy which prevents a volume mount etc. I've read that the order of the policies matter, and tried naming the policy with a name that sorts the policy as the last one. If I insert the policies much later, and add
PodSecurityPolicyadmission controller after initializing Flannel, everything seems good. Is there an order we have to follow while inserting policies, admission controllers?
