Enabling PSPs is very simple. Adding
PodSecurityPolicy to the API server's list of admission controllers will send all newly created Pod objects through the
PodSecurityPolicy admission controller. This controller does two things:
- Identifies the best policy: The best policy to use is identified by the capabilities requested by a pod's definition. A pod cannot explicitly state which policy it wants to enforce, only what capabilities it wants.
- Determines whether the Pod's policy is authorized: Once a policy is identified, the admission controller needs to determine whether the creator of the pod or the
serviceAccountof the pod is authorized to use that policy.
The combination of these two criteria can lead to unexpected results. The creator of the pod isn't the user that submits the
StatefulSet definition. There's a controller that watches for
Deployment updates and creates a
ReplicaSet. There is a controller that...