diff --git a/staging/podsecuritypolicy/rbac/README.md b/staging/podsecuritypolicy/rbac/README.md index d5c96006..1d5a5054 100644 --- a/staging/podsecuritypolicy/rbac/README.md +++ b/staging/podsecuritypolicy/rbac/README.md @@ -19,6 +19,13 @@ If you are using the `local-up-cluster.sh` script you may enable these settings PSP_ADMISSION=true ALLOW_PRIVILEGED=true ALLOW_SECURITY_CONTEXT=true ALLOW_ANY_TOKEN=true ENABLE_RBAC=true RUNTIME_CONFIG="extensions/v1beta1=true,extensions/v1beta1/podsecuritypolicy=true" hack/local-up-cluster.sh ``` +The `kubectl` commands in this document assume that the current directory is the root directory of the cloned repository: + +```console +$ git clone https://github.com/kubernetes/examples +$ cd examples +``` + ### Using the protected port It is important to note that this example uses the following syntax to test with RBAC @@ -91,7 +98,7 @@ spec: To create these policies run ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/policies.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f staging/podsecuritypolicy/rbac/policies.yaml podsecuritypolicy "privileged" created podsecuritypolicy "restricted" created ``` @@ -131,11 +138,11 @@ role which is already provided by the cluster. To create these roles and bindings run ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/roles.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f staging/podsecuritypolicy/rbac/roles.yaml clusterrole "restricted-psp-user" created clusterrole "privileged-psp-user" created -$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f examples/podsecuritypolicy/rbac/bindings.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/system:masters create -f staging/podsecuritypolicy/rbac/bindings.yaml clusterrolebinding "privileged-psp-users" created clusterrolebinding "restricted-psp-users" created clusterrolebinding "edit" created @@ -148,7 +155,7 @@ clusterrolebinding "edit" created Create the pod ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f examples/podsecuritypolicy/rbac/pod.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f staging/podsecuritypolicy/rbac/pod.yaml pod "nginx" created ``` @@ -171,14 +178,14 @@ pod "nginx" deleted Create the privileged pod ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f examples/podsecuritypolicy/rbac/pod_priv.yaml -Error from server (Forbidden): error when creating "examples/podsecuritypolicy/rbac/pod_priv.yaml": pods "nginx" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed] +$ kubectl --server=https://127.0.0.1:6443 --token=foo/restricted-psp-users create -f staging/podsecuritypolicy/rbac/pod_priv.yaml +Error from server (Forbidden): error when creating "staging/podsecuritypolicy/rbac/pod_priv.yaml": pods "nginx" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed] ``` ### Privileged user can create non-privileged pods ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f examples/podsecuritypolicy/rbac/pod.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f staging/podsecuritypolicy/rbac/pod.yaml pod "nginx" created ``` @@ -203,7 +210,7 @@ pod "nginx" deleted Create the privileged pod ``` -$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f examples/podsecuritypolicy/rbac/pod_priv.yaml +$ kubectl --server=https://127.0.0.1:6443 --token=foo/privileged-psp-users create -f staging/podsecuritypolicy/rbac/pod_priv.yaml pod "nginx" created ```