Apply a less restrictive pod security policy to a provisioned cluster to allow for privileged pods.

To keep your provisioned clusters secure by default, Tanzu Mission Control applies a restrictive pod security policy that prevents the use of privileged options in your containers, such as running a container as root or using privileged mode. However, you might want to enable your pods to use some of these privileged options in some of your clusters. So, Tanzu Mission Control provides a preconfigured cluster role (vmware-system-tmc-psp-privileged) that you can use to apply a less restrictive pod security policy for specified identities.

Prerequisites

Before you begin this procedure, you must have a cluster that you have provisioned through Tanzu Mission Control.

Open a command window and connect to your cluster with kubectl.

Make sure you have the appropriate permissions.
  • To modify role bindings in the cluster, you must be associated with the cluster.admin role.

Procedure

  1. To enable privileged mode for a specific pod, bind the privileged role to a service account.
    Use the following kubectl command, replacing my-namespace and my-service-account with the appropriate values. 
    kubectl create rolebinding my-privileged-role-binding \
--clusterrole=vmware-system-tmc-psp-privileged \
--user=system:serviceaccount:my-namespace:my-service-account \
-n my-namespace
  2. To enable privileged mode for an entire cluster, bind the privileged role to the group containing all authenticated users. 
    kubectl create clusterrolebinding my-privileged-cluster-role-binding \
--clusterrole=vmware-system-tmc-psp-privileged \
--group=system:authenticated