Create a new ServiceAccount named psd-denial-sa in the existing namespace development.
Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa
Answer: Create psp to disallow privileged container
✑ uk.co.certification.simulator.questionpool.PList@dd90cb0 k create sa psp-denial-sa -n development
✑ uk.co.certification.simulator.questionpool.PList@dd90eb0 namespace: development
Explanationmaster1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don’t allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
– ‘*’
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
– apiGroups: [‘policy’]
resources: [‘podsecuritypolicies’]
verbs: [‘use’]
resourceNames:
– “deny-policy”
master1 $ k create sa psp-denial-sa -n developmentmaster1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts: – kind: ServiceAccount
name: psp-denial-sa
namespace: development
Leave a Reply