Closed fredericksales closed 5 years ago
@fredericksales Thank you for trying out kubernetes-keyvault-flexvol
.
Did you create the clusterrole and clusterrolebinding/rolebinding to use that psp?
This is a new psp that I created on my cluster to get it working -
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allow-flexvolume
spec:
seLinux:
rule: RunAsAny
volumes:
- flexVolume
- hostPath
- secret
allowedFlexVolumes:
- driver: azure/kv
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
allowedHostPaths:
- pathPrefix: /etc/kubernetes/volumeplugins
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:allow-flexvolume
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- allow-flexvolume
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:allow-flexvolume
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:allow-flexvolume
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
One thing in general to note - PSPs are evaluated in alphabetical order.
hello @aramase,
your pss solved my issue. I created the clusterrole and clusterrolebinding but I missed a little configuration in the cluster role binding.
@aramase can you pls add this PSP to the readme?
Hello,
I try to use a keyvault-flexvolume on a k8s cluster (AKS) with podsecuritypolicy enabled.
I get the following error: Error creating: pods "keyvault-flexvolume-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]
I have the following PosSecurityPOlicy applied on the cluster: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: psp-restricted spec: privileged: false allowPrivilegeEscalation: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny allowedFlexVolumes:
I still have the same issue and don't know why I still get it!