CODEWITHSUNDEEP
kubernetes
Panagiotis Georgiadis
Panagiotis Georgiadis

Reputation: 230

Can a Pod Security Policy be applied to a namespace?

How can I apply a PSP (PodSecurityPolicy) only for the kube-system namespace and another PSP for all other namespaces?

Upvotes: 3

Views: 4374

Answers (1)

Crou
Crou

Reputation: 11388

As we can read in the Kubernetes documentation about Pod Security Policies.

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

You should use RBAC and setup Role which will use desired PSP.

If a RoleBinding (not a ClusterRoleBinding) is used, it will only grant usage for pods being run in the same namespace as the binding. This can be paired with system groups to grant access to all pods run in the namespace:

# Authorize all service accounts in a namespace:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts
# Or equivalently, all authenticated users in a namespace:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated

You should also check out Using PodSecurityPolicies and Kubernetes: Assigning Pod Security Policies with RBAC.

Hope this helps.

Upvotes: 2

Related Questions