1 - Create permissive pod security policy mkdir /root/psp
cd /root/psp
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: permissive-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ' *' true
allowPrivilegeEscalation: true
allowedCapabilities:
- ' *' ' *' true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: ' RunAsAny' ' RunAsAny' ' RunAsAny' ' RunAsAny' kubectl apply -f permissive-psp.yaml
2 - Create cluster role for psp vi permissive-psp-cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: permissive-cluster-role
rules:
- apiGroups: [' policy' ' podsecuritypolicies' ' use' kubectl apply -f permissive-psp-cluster-role.yaml
3 - Create cluster role binding and bind to PSP cluster role vi permissive-psp-cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: permissive-psp-cluster-bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: permissive-cluster-role
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
kubectl apply -f permissive-psp-cluster-role-binding.yaml
4: Enable PSP admission controller on kube-api server vi /etc/kubernetes/manifests/kube-apiserver.yaml
add below line on the kube-api server
--enable-admission-plugins=PodSecurityPolicy
watch pods
kubectl get pods -n kube-system -w