Skip to content

Instantly share code, notes, and snippets.

@harryge00
Last active August 13, 2018 11:46
Show Gist options
  • Save harryge00/0204904625ceed1a5d9b817572f65788 to your computer and use it in GitHub Desktop.
Save harryge00/0204904625ceed1a5d9b817572f65788 to your computer and use it in GitHub Desktop.
bookinfo istio demo deployments cannot create pods
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: 2018-08-13T11:34:52Z
  name: psp:rootprivileged
  namespace: default
  resourceVersion: "263399"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/psp%3Arootprivileged
  uid: e512c27b-9eec-11e8-9bfa-0cc47ab1f848
rules:
- apiGroups:
  - extensions
  resourceNames:
  - permit-root
  resources:
  - podsecuritypolicies
  verbs:
  - use
# kubectl get psp permit-root -o yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  creationTimestamp: 2018-08-13T11:23:04Z
  name: permit-root
  resourceVersion: "264016"
  selfLink: /apis/extensions/v1beta1/podsecuritypolicies/permit-root
  uid: 3eaf6f3e-9eeb-11e8-9bfa-0cc47ab1f848
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
  • kubectl create rolebinding default:psp:root --role=psp:rootprivileged --serviceaccount=default:default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment