Welcome to the Linux Foundation Forum!

Lab 5.3 - the Pod Security Policy example in the K8s 1.23 docs does not work as expected

mark.kharitonov
mark.kharitonov Posts: 17
edited December 2022 in LFS260 Class Forum

I am following the Lab 5.3 and even though PSP was removed in 1.25, I think I am still expected to understand how it works.

The k8s docs link is https://v1-23.docs.kubernetes.io/docs/concepts/security/pod-security-policy/#example. I followed all the steps:

kubectl create namespace psp-example
kubectl create serviceaccount -n psp-example fake-user
kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user

alias kubectl-admin='kubectl -n psp-example'
alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'

kubectl-admin create -f https://k8s.io/examples/policy/example-psp.yaml

kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pause
spec:
  containers:
    - name: pause
      image: k8s.gcr.io/pause
EOF

However, the last command succeeds in my cluster, whereas it is supposed to fail according to the documentation:

student@master:~/5$ kubectl-user get pod
NAME    READY   STATUS    RESTARTS   AGE
pause   1/1     Running   0          17m
student@master:~/5$

I checked the authorization to use the PSP and the non admin user does not have it:

student@master:~/5$ k get psp -A
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME      PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
example   false          RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
student@master:~/5$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
no
student@master:~/5$

How do we troubleshoot this discrepancy?

Answers

  • I was too fast to write the question. The next lab (5.4) explains that we need to enable the PSP admission controller, which is not by default. Having enabled it, everything works as expected.

  • Well, I just tried to follow Lab 5.3 and I always come back to PSPs. The answers given in 5.3 are complete nonsense. The questions have to be rephrased and the solution updated.

Categories

Upcoming Training