I was trying to enable podSecurityPolicy on one cluster, so I configured RBAC according to the documentation (https://kubernetes.io/docs/concepts/policy/pod-security-policy/) and create two PSP (privileged and restricted). My user is only allowed to use restricted PSP, and I have enabled PodSecurityPolicy admission controller on kubeApi.
As expected when I create a Pod directly with my user, I am allowed to run unprivileged container but not privileged Pod.
But when, I’m creating a Deployment, with a privileged container in the spec, the container start and use the privileged PSP.
According to the documentation I’m supposed to create a Rolebinding with the Pod service account and a Role that allow to use specific PSP, but I don’t allow anything to my Pod service account. So my Pod (created by the replicaSet from the Deployment) is supposed to not run and be dennied by the PodSecurityPolicy admission controller.
After reading more carefully the documentation, I saw:
The Controller Manager must be run against the secured API port, and must not have superuser permissions. Otherwise requests would bypass authentication and authorization modules, all PodSecurityPolicy objects would be allowed, and users would be able to create privileged containers. For more details on configuring Controller Manager authorization, see Controller Roles.
Juju charm kubernetes-master configure kube-controller-manager to talk to apiServer on insecure port (8080), all admission controller are bypassed…
I’m open to make a pull request to change that, do you have some links about how to participate to this juju charm, and all dependency layers ?