WIP: Add (un)privileged Pod Security Policies (!91) · Merge requests · kubernetes / magnum

Ricardo Rocha requested to merge 8499podpolicy into cern-rocky Mar 27, 2019

Add two PodSecurityPolicy resources:

privileged: for workloads needed more than restricted access
unprivileged: for all other workloads, and should be the default

Additional things to be set:

unprivileged mapped to ClusterRole relying on the 'default' service account
privileged / unprivileged added to all existing ClusterRole resources as appropriate

In addition a new label is available to set an alternative policy to the default account, so that at cluster creation users can override the restricted defaults.

WIP: Add (un)privileged Pod Security Policies

Merge request reports