Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

View Answer

Answer: Create psp to disallow privileged container

✑ uk.co.certification.simulator.questionpool.PList@dd90cb0 k create sa psp-denial-sa -n development

✑ uk.co.certification.simulator.questionpool.PList@dd90eb0 namespace: development

Explanationmaster1 $ vim psp.yaml

apiVersion: policy/v1beta1

kind: PodSecurityPolicy

metadata:

name: deny-policy

spec:

privileged: false # Don’t allow privileged pods!

seLinux:

rule: RunAsAny

supplementalGroups:

rule: RunAsAny

runAsUser:

rule: RunAsAny

fsGroup:

rule: RunAsAny

volumes:

– ‘*’

master1 $ vim cr1.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

name: deny-access-role

rules:

– apiGroups: [‘policy’]

resources: [‘podsecuritypolicies’]

verbs: [‘use’]

resourceNames:

– “deny-policy”

master1 $ k create sa psp-denial-sa -n developmentmaster1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding

metadata:

name: restrict-access-bing

roleRef:

kind: ClusterRole

name: deny-access-role

apiGroup: rbac.authorization.k8s.io

subjects:

# Authorize specific service accounts: – kind: ServiceAccount

name: psp-denial-sa

namespace: development