Use admission controllers for access

MKE supports using a selective grant to allow a set of user and service accounts to use privileged attributes on Kubernetes Pods. This enables administrators to create scenarios that would ordinarily require administrators or cluster-admins to execute. Such selective grants can be used to temporarily bypass restrictions on non-administrator accounts, as the changes can be reverted at any time.

The privileged attributes associated with user and service accounts are specified separately. It is only possible to specify one list of privileged attributes for user accounts and one list for service accounts.

The user accounts specified for access must be non-administrator users and the service accounts specified for access must not be bound to the cluster-admin role.

The following privileged attributes can be assigned using a selective grant:




Allows the Pod containers to share the host IPC namespace


Allows the Pod to use the network namespace and network resources of the host node


Allows the Pod containers to share the host process ID namespace


Allows the Pod containers to use directories and volumes mounted on the container host


Allows one or more Pod containers to run privileged, escalate privileges, or both


Allows you to specify the addition of kernel capabilities on one or more of the kernel capabilities

The following Pod manifest demonstrates the use of several of the privileged attributes in a Pod:

Example Pod manifest
apiVersion: v1
kind: Pod
  name: busybox
  namespace: default
  - image: ubuntu
      - sleep
      - "36000"
    imagePullPolicy: IfNotPresent
    name: busybox
          - NET_ADMIN
          - CHOWN
      privileged: false
      allowPrivilegeEscalation: true

  restartPolicy: Always

To configure privileged attributes for user and service account access:

  1. Obtain the current MKE configuration file for your cluster.

  2. In the [cluster_config] section on the MKE configuration file, specify the required privileged attributes for user accounts using the priv_attributes_allowed_for_user_accounts parameter.

  3. Specify the associated user accounts with the priv_attributes_user_accounts parameter.

  4. Specify the required privileged attributes for service accounts using the priv_attributes_allowed_for_service_accounts parameter.

  5. Specify the associated service accounts with the priv_attributes_service_accounts parameter.

  6. Upload the new MKE configuration file.

Example privileged attribute specification in the MKE configuration file:

priv_attributes_allowed_for_user_accounts = ["privileged"]
priv_attributes_user_accounts = ["Abby"]
priv_attributes_allowed_for_service_accounts = ["hostBindMounts", "hostIPC"]
priv_attributes_service_accounts = ["default:sa1"]