Skip to content

WIP: Add (un)privileged Pod Security Policies

Ricardo Rocha requested to merge 8499podpolicy into cern-rocky

Add two PodSecurityPolicy resources:

  • privileged: for workloads needed more than restricted access
  • unprivileged: for all other workloads, and should be the default

Additional things to be set:

  • unprivileged mapped to ClusterRole relying on the 'default' service account
  • privileged / unprivileged added to all existing ClusterRole resources as appropriate

In addition a new label is available to set an alternative policy to the default account, so that at cluster creation users can override the restricted defaults.

Merge request reports