navigator icon indicating copy to clipboard operation
navigator copied to clipboard
verified publisher icon jetstack

Navigator should be able to operate in a cluster where PodSecurityPolicy is enabled

Open wallrj opened this issue 7 years ago • 0 comments

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

It looks like we need a way for users to choose the name of a PodSecurityPolicy to use for the service accounts generated by the Navigator controller.

  • Maybe have the helm chart install a PodSecurityPolicy suitable for use by Navigator database service accounts.
  • And have helm install an RBAC ClusterRole which allows the subject to use that PSP.
  • And have the Navigator controller create role bindings for each service account, binding it to the ClusterRole above.
  • We should run E2E tests in a cluster where there's a very restrictive default PodSecurityPolicy.

/kind feature

wallrj avatar Jun 12 '18 11:06 wallrj