Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
8cb6eb0b
Commit
8cb6eb0b
authored
Feb 24, 2017
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
PodSecurityPolicy example: fix explanation
parent
f1182ddc
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
11 additions
and
7 deletions
+11
-7
README.md
examples/podsecuritypolicy/rbac/README.md
+11
-7
No files found.
examples/podsecuritypolicy/rbac/README.md
View file @
8cb6eb0b
...
@@ -82,21 +82,25 @@ podsecuritypolicy "restricted" created
...
@@ -82,21 +82,25 @@ podsecuritypolicy "restricted" created
### Roles and bindings
### Roles and bindings
In order to a
`PodSecurityPolicy`
a user must have the ability to perform the
`use`
verb on the policy.
In order to create a pod, either the creating user or the service account
The
`use`
verb is a special verb that grants access to use the policy while
specified by the pod must be authorized to use a
`PodSecurityPolicy`
object
not allowing any other access. This verb is specific to
`PodSecurityPolicy`
.
that allows the pod. That authorization is determined by the ability to perform
To enable the
`use`
access we will create cluster roles. In this example we will provide the roles:
the
`use`
verb on a particular
`podsecuritypolicies`
resource. The
`use`
verb
is a special verb that grants access to use a policy while not permitting any
other access. For this example, we'll first create RBAC
`ClusterRoles`
that
enable access to
`use`
specific policies.
1.
`restricted-psp-user`
: this role allows the
`use`
verb on the
`restricted`
policy only
1.
`restricted-psp-user`
: this role allows the
`use`
verb on the
`restricted`
policy only
2.
`privileged-psp-user`
: this role allows the
`use`
verb on the
`privileged`
policy only
2.
`privileged-psp-user`
: this role allows the
`use`
verb on the
`privileged`
policy only
To associate roles with users we will use groups via a
`RoleBinding`
. This example uses
We can then create
`ClusterRoleBindings`
to grant groups of users the
the following groups:
"restricted" and/or "privileged"
`ClusterRoles`
. In this example, the bindings
grant the following roles to groups.
1.
`privileged`
: this group is bound to the
`privilegedPSP`
role and
`restrictedPSP`
role which gives users
1.
`privileged`
: this group is bound to the
`privilegedPSP`
role and
`restrictedPSP`
role which gives users
in this group access to both policies.
in this group access to both policies.
1.
`restricted`
: this group is bound to the
`restrictedPSP`
role
1.
`restricted`
: this group is bound to the
`restrictedPSP`
role
.
1.
`system:authenticated`
: this is a system group for any authenticated user. It is bound to the
`edit`
1.
`system:authenticated`
: this is a system group for any authenticated user. It is bound to the
`edit`
role which is already provided by the cluster.
role which is already provided by the cluster.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment