Configure Kubernetes access for PSPs¶
To interact with PSPs, a user must have access to the PodSecurityPolicy
object in Kubernetes role-based access control (RBAC). MKE admins automatically
have access to this object.
To grant regular users access to the PodSecurityPolicy
object, an MKE admin
must create the following ClusterRole
and ClusterRoleBinding
and assign
them to the required users:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp-admin
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
verbs:
- create
- delete
- get
- list
- patch
- update
EOF
USER=<user-name>
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp-admin:$USER
roleRef:
kind: ClusterRole
name: psp-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
name: $USER
EOF