Closed smartaquarius10 closed 3 years ago
ritazh
commented
3 years ago Thank you for the feedback @smartaquarius10! Do you mind opening an issue in https://github.com/open-policy-agent/gatekeeper-library/issues? As PSP is moving from v1 to v2 design, there are some recommended practices around user-based exemptions. Let's talk about the tradeoffs and alternatives to fit your use case in the gatekeeper-library repo with other community members.
smartaquarius10
commented
3 years ago @ritazh Sure Rita. Will do that. Thanks for the info. I have opened this issue in the suggested repository.
Should I close the issue here?
smartaquarius10
commented
3 years ago @ritazh , Hello Rita. Hope you're doing well.
Is there any other repository or community portal where I can ask this question because its been 3 days and I have not received any reply on that repository.
I have to convert the AKS to a shared resource for which psp's are required and Admin vs non-admin bifurcation is necessary. But, as per my understanding, the current architecture of Azure policies is not adhering to this role based segregation which is definitely a need.
Please let me know if you can share any other contacts. Thank you. Take care.
ritazh
commented
3 years ago @smartaquarius10 Thanks for opening the other issue. Let’s continue the discussion in Gatekeeper as it applies to K8s PSP v2 guidance as well as Gatekeepr policies. Feel free to close this issue here.
smartaquarius10
commented
3 years ago Thanks
ritazh
commented
3 years ago @RamyasreeChakka can you pls help @smartaquarius10 with the issue raised https://github.com/open-policy-agent/gatekeeper-library/issues/78#issuecomment-835493641 regarding how to apply labelSelector to builtin policies? Seems we are missing docs around this new feature.
nreisch
commented
3 years ago Addressing this comment : https://github.com/open-policy-agent/gatekeeper-library/issues/78#issuecomment-835493641
Hi @smartaquarius10, although it may be hard to parse, the schema tab in the assignment UI shows the expected format. In this case try adding matchExpressions like the following:
smartaquarius10
commented
3 years ago @ritazh , @nreisch , Thank you so much. Will try that right now. Take care.
Regards Tanul
Team,
In kubernetes, we can take the benefit of cluster role and rolebindings to bifurcate the pod security policies as per the privileges of admin and non-admin users.
In Azure kubernetes, if we apply any azure policy for eg. not allowing privilege pods then it will restrict all the users including admins as well.
How to control this restriction in Azure policies because PSP in AKS are deprecated and it is mandatory to use Azure policies now onwards.
Thank you