Cater for more locked down environments

[Niksko]

In locked down environments that use PSPs, you can't just launch a privileged pod. Example:

$ kubectl sniff <some-pod> -p
INFO[0000] no container specified, taking first container we found in pod.
INFO[0000] selected container: '<some-container>'
INFO[0000] sniffing method: privileged pod
INFO[0000] sniffing on pod: '<some-pod>' [namespace: '<namespace>', container: '<container>', filter: '', interface: 'any']
INFO[0000] creating privileged pod on node: '<node-name>'
ERRO[0000] failed to create privileged pod on node: '<node-name>'  error="pods \"ksniff-\" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.volumes[0]: Invalid value: \"hostPath\": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]"
Error: pods "ksniff-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

One workaround for this would be to allow for the pod creating and using a serviceAccount. Cluster operators could then bind a permissive PSP to this known serviceAccount which would allow pods running as privileged with the required host PID and host path access. You could even provide the PSP and allow for deploying it.

Happy to submit a PR if you think this is a good idea.

[bostrt]

Hey @Niksko, I think that's a great idea and am happy to review a PR if you submit one.