You might want to add some service account to ClusterRoleBinding/psp:privileged
kubectl apply -f eks-restricted-psp.yml
# delete default role binding
kubectl delete clusterrolebinding eks:podsecuritypolicy:authenticated
apiVersion: extensions/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |
name: eks.restricted | |
spec: | |
privileged: false | |
allowPrivilegeEscalation: false | |
allowedCapabilities: [] | |
requiredDropCapabilities: | |
- ALL | |
hostIPC: false | |
hostNetwork: false | |
hostPID: false | |
readOnlyRootFilesystem: false | |
fsGroup: | |
rule: RunAsAny | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- configMap | |
- downwardAPI | |
- emptyDir | |
- secret | |
- projected | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: psp:privileged | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- eks.privileged | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: psp:restricted | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- eks.restricted | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: psp:privileged | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp:privileged | |
subjects: | |
- kind: ServiceAccount | |
name: aws-node | |
namespace: kube-system | |
- kind: ServiceAccount | |
name: kube-proxy | |
namespace: kube-system | |
- kind: ServiceAccount | |
name: coredns | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: psp:restricted | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp:restricted | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated |