Tanzu Kubernetes clusters include default PodSecurityPolicy that you can bind to for privileged and restricted workload deployment.
About Default Pod Security Policy
This section provides YAML and CLI commands for creating role binding objects to default pod security policy, including ClusterRoleBinding and RoleBinding. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.
A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants permissions cluster-wide. The decision to use a RoleBindings or ClusterRoleBinding depends on your use case. For example, if you use a ClusterRoleBinding and configure subjects to use system:serviceaccounts:<namespace>, you can bind to a PSP before the namespace is created. For more information, see RoleBinding and ClusterRoleBinding in the Kubernetes documentation.
Example 1: ClusterRoleBinding to Run a Privileged Set of Workloads
vmware-system-privileged.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:privileged rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - vmware-system-privileged --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: all:psp:privileged roleRef: kind: ClusterRole name: psp:privileged apiGroup: rbac.authorization.k8s.io subjects: - kind: Group name: system:serviceaccounts apiGroup: rbac.authorization.k8s.io
kubectl command.
kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=psp:vmware-system-privileged --group=system:authenticated
Example 2: RoleBinding to Run a Privileged Set of Workloads
vmware-system-privileged.
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rolebinding-default-privileged-sa-ns_default namespace: default roleRef: kind: ClusterRole name: psp:vmware-system-privileged apiGroup: rbac.authorization.k8s.io subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: system:serviceaccounts
kubectl create rolebinding rolebinding-default-privileged-sa-ns_default --namespace=default --clusterrole=psp:vmware-system-privileged --group=system:serviceaccounts
Example 3: ClusterRoleBinding to Run a Restricted Set of Workloads
The following YAML creates a ClusterRoleBinding that grants authenticated users cluster-wide access to run a restricted set of workloads using the default PSP vmware-system-restricted.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: psp:authenticated subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:vmware-system-restricted
As an alternative to applying YAML, you can run the following kubectl command.
kubectl create clusterrolebinding psp:authenticated --clusterrole=psp:vmware-system-restricted --group=system:authenticated
Example 4: RoleBinding to Run a Restricted Set of Workloads
The following YAML creates a RoleBinding that grants access to all service accounts within a specific namespace to run a restricted set of workloads using the default PSP vmware-system-restricted.
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: psp:serviceaccounts namespace: some-namespace subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:vmware-system-restricted
As an alternative to applying YAML, you can run the following kubectl command.
kubectl create rolebinding psp:serviceaccounts --clusterrole=psp:vmware-system-restricted --group=system:serviceaccounts
