Welcome to the Linux Foundation Forum!

Lab 5.3 - the Pod Security Policy example in the K8s 1.23 docs does not work as expected

Posts: 17
edited December 2022 in LFS260 Class Forum

I am following the Lab 5.3 and even though PSP was removed in 1.25, I think I am still expected to understand how it works.

The k8s docs link is https://v1-23.docs.kubernetes.io/docs/concepts/security/pod-security-policy/#example. I followed all the steps:

  1. kubectl create namespace psp-example
  2. kubectl create serviceaccount -n psp-example fake-user
  3. kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
  4.  
  5. alias kubectl-admin='kubectl -n psp-example'
  6. alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
  7.  
  8. kubectl-admin create -f https://k8s.io/examples/policy/example-psp.yaml
  9.  
  10. kubectl-user create -f- <<EOF
  11. apiVersion: v1
  12. kind: Pod
  13. metadata:
  14. name: pause
  15. spec:
  16. containers:
  17. - name: pause
  18. image: k8s.gcr.io/pause
  19. EOF

However, the last command succeeds in my cluster, whereas it is supposed to fail according to the documentation:

  1. student@master:~/5$ kubectl-user get pod
  2. NAME READY STATUS RESTARTS AGE
  3. pause 1/1 Running 0 17m
  4. student@master:~/5$

I checked the authorization to use the PSP and the non admin user does not have it:

  1. student@master:~/5$ k get psp -A
  2. Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
  3. NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
  4. example false RunAsAny RunAsAny RunAsAny RunAsAny false *
  5. student@master:~/5$ kubectl-user auth can-i use podsecuritypolicy/example
  6. Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
  7. no
  8. student@master:~/5$

How do we troubleshoot this discrepancy?

Answers

  • I was too fast to write the question. The next lab (5.4) explains that we need to enable the PSP admission controller, which is not by default. Having enabled it, everything works as expected.

  • Well, I just tried to follow Lab 5.3 and I always come back to PSPs. The answers given in 5.3 are complete nonsense. The questions have to be rephrased and the solution updated.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training