Configure Kubernetes access for PSPs

To interact with PSPs, a user must have access to the PodSecurityPolicy object in Kubernetes role-based access control (RBAC). MKE admins automatically have access to this object.

To grant regular users access to the PodSecurityPolicy object, an MKE admin must create the following ClusterRole and ClusterRoleBinding and assign them to the required users:

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp-admin
rules:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
EOF

USER=<user-name>

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: psp-admin:$USER
roleRef:
  kind: ClusterRole
  name: psp-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: $USER
EOF