Published in


Kubernetes: Assigning Pod Security Policies with RBAC

A PodSecurityPolicy is a cluster-level resource for managing security aspects of a pod specification.¹

PSPs allow you to control:

A pod security policy is a regular resource accessible via kubectl.

You can get a rundown of them with:kubectl explain podsecuritypolicy

Creating Pod Security Policies

We are going to create two policies from the k8s docs:


This policy will be implicitly accessible to cluster admins and chosen by default since they have access to all resources. This policy is the least restrictive you can create.

To create it:

kubectl create -f ./psp/privileged.yaml


This policy we will explicitly assign to all authenticated users. It denies running as root or escalating to root, requires a security profile, limits volume types, and a few other aspects.

To create it:

kubectl create -f ./psp/restricted.yaml

You should now have (at least) two pod security policies. Runkubectl get pspand you should see output similar to the following:

Assigning Pod Security Policies

You can assign access to a pod security policy using RBAC. This RBAC configuration will:

This will effectively make the restricted policy the default for all users and service accounts in the cluster.

To create it:

kubectl create -f ./rbac/psp-restricted.yaml

Meanwhile your privileged policy will automatically be accessible to you as a cluster admin.

Now you may be asking yourself:

If I am a cluster admin and I have access to privileged by default, but I’m also assigned restricted since I am an authenticated user… which one do I actually get?

Well, I’m glad you asked. If multiple policies are applicable to your account, you will be assigned the first one alphabetically.²

Let’s double check that the correct access was assigned.

This will tell you, if you, an admin can use the privileged policy:

kubectl auth can-i use psp/privileged

You should see “yes”.

kubectl allows you to pose as other users using --as to perform operations, but you can also use it to inspect permissions.

kubectl auth can-i use psp/privileged --as-group=system:authenticated --as=any-user

You should see “no”.

kubectl auth can-i use psp/restricted --as-group=system:authenticated --as=any-user

You should see “yes”.

Pod security policies in action

Let’s create a namespace and a service account to test out our restricted policy.

kubectl create namespace psp-rbac-demo
kubectl create serviceaccount fake-user -n psp-rbac-demo
kubectl create rolebinding fake-editor --clusterrole=edit --serviceaccount=psp-rbac-demo:fake-user -n psp-rbac-demo

Now we will try to schedule this pod with privileges:

kubectl create -f -n psp-rbac-demo \
--as-group=system:authenticated \

You should see:

Error from server (Forbidden): error when creating "": pods "privileged" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Clean up the test namespace with: kubectl delete ns psp-rbac-demo

And that’s that. Now any user of your cluster will be bound to the rules set in your restricted policy.

Full source code for this tutorial is available here.



Notes on SQL, ruby, elixir, tacos, and whiskey

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store