mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #42088 from ericchiang/psp-example-fix
Automatic merge from submit-queue PodSecurityPolicy example: fix explanation cc @kubernetes/sig-auth-pr-reviews ```release-note NONE ```
This commit is contained in:
commit
eaa386167a
@ -82,21 +82,25 @@ podsecuritypolicy "restricted" created
|
|||||||
|
|
||||||
### Roles and bindings
|
### Roles and bindings
|
||||||
|
|
||||||
In order to a `PodSecurityPolicy` a user must have the ability to perform the `use` verb on the policy.
|
In order to create a pod, either the creating user or the service account
|
||||||
The `use` verb is a special verb that grants access to use the policy while
|
specified by the pod must be authorized to use a `PodSecurityPolicy` object
|
||||||
not allowing any other access. This verb is specific to `PodSecurityPolicy`.
|
that allows the pod. That authorization is determined by the ability to perform
|
||||||
To enable the `use` access we will create cluster roles. In this example we will provide the roles:
|
the `use` verb on a particular `podsecuritypolicies` resource. The `use` verb
|
||||||
|
is a special verb that grants access to use a policy while not permitting any
|
||||||
|
other access. For this example, we'll first create RBAC `ClusterRoles` that
|
||||||
|
enable access to `use` specific policies.
|
||||||
|
|
||||||
1. `restricted-psp-user`: this role allows the `use` verb on the `restricted` policy only
|
1. `restricted-psp-user`: this role allows the `use` verb on the `restricted` policy only
|
||||||
2. `privileged-psp-user`: this role allows the `use` verb on the `privileged` policy only
|
2. `privileged-psp-user`: this role allows the `use` verb on the `privileged` policy only
|
||||||
|
|
||||||
|
|
||||||
To associate roles with users we will use groups via a `RoleBinding`. This example uses
|
We can then create `ClusterRoleBindings` to grant groups of users the
|
||||||
the following groups:
|
"restricted" and/or "privileged" `ClusterRoles`. In this example, the bindings
|
||||||
|
grant the following roles to groups.
|
||||||
|
|
||||||
1. `privileged`: this group is bound to the `privilegedPSP` role and `restrictedPSP` role which gives users
|
1. `privileged`: this group is bound to the `privilegedPSP` role and `restrictedPSP` role which gives users
|
||||||
in this group access to both policies.
|
in this group access to both policies.
|
||||||
1. `restricted`: this group is bound to the `restrictedPSP` role
|
1. `restricted`: this group is bound to the `restrictedPSP` role.
|
||||||
1. `system:authenticated`: this is a system group for any authenticated user. It is bound to the `edit`
|
1. `system:authenticated`: this is a system group for any authenticated user. It is bound to the `edit`
|
||||||
role which is already provided by the cluster.
|
role which is already provided by the cluster.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user