Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

Navigator should be able to operate in a cluster where PodSecurityPolicy is enabled #367

Open
wallrj opened this issue Jun 12, 2018 · 0 comments

Comments

@wallrj
Copy link
Member

wallrj commented Jun 12, 2018

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

It looks like we need a way for users to choose the name of a PodSecurityPolicy to use for the service accounts generated by the Navigator controller.

  • Maybe have the helm chart install a PodSecurityPolicy suitable for use by Navigator database service accounts.
  • And have helm install an RBAC ClusterRole which allows the subject to use that PSP.
  • And have the Navigator controller create role bindings for each service account, binding it to the ClusterRole above.
  • We should run E2E tests in a cluster where there's a very restrictive default PodSecurityPolicy.

/kind feature

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants