Hi team can someone tell me 1. which clusterrole or role/ bindings are used to . . .

kodekloud · August 15, 2021, 2:21am

DS Dsouza:
hi team can someone tell me

which clusterrole or role/ bindings are used to use the PSP objects ? in the course labs i didn’t had to create the sa and the roles/role bindings. as per one of the course content, it was specified that a role /bindings needs to be available. just curious to know which one is it?
when we disable the service account to automount, can we use the service account? if no why even specify the service acccount? this is in reference to the mock exam…

kodekloud · August 15, 2021, 2:21am

Shang:

You can describe object to check. For example kubectl describe clusterole | grep use; kubectl describe clusterrolebinding _name for 1st query
As my understanding if your application don’t need to call api-server, best practice is to disable automount. However the pod itself still have this privilege, for example, to use the PSP as you mentioned above.

kodekloud · August 15, 2021, 2:21am

DS Dsouza:
Thanks Shang

kodekloud · August 15, 2021, 2:21am

Hamid Zorgani:
not only the serviceaccount who need the use privilege for PSP even the default service account for the controller if you have deployment and one pod die the controller will try to create new pod so its need use verb for PSP.

kodekloud · August 15, 2021, 2:21am

Magnus Markling:
All the needed roles etc are described here
https://kubernetes.io/docs/concepts/policy/pod-security-policy/