Comments (4)
Extracted from SUSE/avant-garde#15:
We are currently deploying by default (there's no optional way) two PSP policies:
- privileged (full access everywhere)
- unprivileged (pretty much no access apart from the very basic stuff)
This is a binary situation -- all or nothing scenario. This what happens by default:
- All the containers running kube-system namespace are using the privileged policy
- All the new containers (from the customer) are using the unprivileged policy.
This means that if the customer wants to use some extra capabilities he can't -- unless he creates his own PSP. That is a wanted behavior. See:
Yes, they are encouraged to provide their own PSP's and they can create bindings as required. We can also provide a set of extra PSP's if we want with specific use cases, but for now our privileged PSP for kube-system namespace and a general unprivileged pod security policy looks fine to me.
Also maybe we need to add some links to our documentation pointing to the k8s documentation related to PSPs. A starting point might be: kubectl explain podsecuritypolicy
Last but not least I have written some stuff on the commit message of the PR https://github.com/SUSE/caaspctl/pull/96/commits
* The caaspctl cluster init command should create the deployment
files of v3 pod security policies and later apply them during
cluster bootstrap. Also include the 'clusterrolebinding' as part
of the PSP manifests.
* Run kube-system pods only in privileged mode:
Setups a ClusterRole which uses the privileged policy. Then a
a RoleBinding references this ClusterRole and pairs with all
the (authenticated users and all ServiceAccounts) in kube-system
namespace. So it grants usage of privileged PSP for pods.
being run into kube-system namespace.
* Any other pods running at other namespaces are using the
unprivileged PSP by default.
* Replace apiVersion extensions/v1beta1 to policy/v1beta1.
* Remove Apparmor annotation.
* Enable PSPs via admission controller.
If anything is not clear or you need more clarification, don't hesitate pinging me :)
from doc-caasp.
Relates to: https://github.com/SUSE/avant-garde/issues/156
from doc-caasp.
Relates to: https://github.com/SUSE/avant-garde/issues/221
from doc-caasp.
First pass uploaded to PR. Closing issue, tracking PR from now on.
from doc-caasp.
Related Issues (20)
- [doc] 5.1.2 Upgrade the cluster HOT 4
- Provide documentation on how to migrate with SUMA HOT 3
- [doc] 5.1.2 Upgrade the cluster
- [doc] 13.4.2 Backup Kubernetes Cluster - how to trust a custom/self-signed CA? HOT 4
- Add back to 4.5.2 and 4.2.4
- [doc] 1.1 Platform missing Azure HOT 1
- [doc] 7.4.4 Deployment HOT 2
- [doc] 13.8.2 Cluster Migration HOT 2
- [doc] Release Notes 4.5.1 HOT 3
- Please update the way on how to adjust addons for customer needs HOT 2
- Re-add PR #919 (New command: skuba addon refresh localconfig) HOT 2
- Include new skuba command on v4.2.4 release HOT 3
- Update docs to reflect Helm 3 as new default HOT 4
- [doc] 6.9.8.1 Renewing Control Plane Certificates -> how to create the kubelet certificate for worker nodes?? HOT 5
- [doc] 3.3 Note about - ESXi in KVM with nested virtualization - network problems after upgrading to SLES 15 SP2 HOT 2
- [doc][cuda][gpu] 11.1.2.1 Install the Device Plugin from nvidia - {nvidia} placeholder in URL
- [doc][cuda][gpu] 11.1.1.1 Install the GPU drivers - do not install full X11
- [doc] 3.1.2.2.3 Migration Procedure (Air gap) -> helm should be "helm3" during helm plugin install
- 4.5.3 is released but no documentation is present
- [doc] 6.8.1.2 Deploy ingress controller from helm chart
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doc-caasp.