A Kubectl plugin to manage Pod Security Policy(PSP)
and RBAC Resources.
Attach/Detach PSP to/from RBACs(Group, User) or ServiceAccounts and view the relations which PSP is effected to the Subjects in cluster.
See the details of PSP:
See the Best Practices of PSP:
- https://aws.github.io/aws-eks-best-practices/pods/#recommendations
- https://github.com/sysdiglabs/kube-psp-advisor
- https://blog.jlandowner.com/posts/pod-security-policy-best-practice/
You can install it by krew. After installing krew, run the following command:
kubectl krew install psp-util
$ kubectl psp-util
A Kubectl plugin to manage Pod Security Policy(PSP) and the related RBAC Resources.
Attach/Detach PSP to/from RBACs(Group, User) or ServiceAccounts and
view the relations which PSP is effected to the Subjects in cluster.
Complete documentation is available at http://github.com/jlandowner/psp-util
Usage:
psp-util [command]
Available Commands:
attach Attach PSP to RBAC Subject (Auto generate managed ClusterRole and ClusterRoleBinding)
clean Clean managed ClusterRole and ClusterRoleBinding
detach Detach PSP from RBAC Subject
help Help about any command
list List PSP and RBAC associated with it.
tree View relational tree between PSP and Subjects
version Print the version number
Flags:
-h, --help help for psp-util
--kubeconfig string kube config file (default is $HOME/.kube/config)
Use "psp-util [command] --help" for more information about a command.
list
shows all PSPs in cluster, and also ClusterRoles and ClusterRoleBindings associated with each of them.
A column Managed
is whether these ClusterRoles and ClusterRoleBindings are auto-created and managed by psp-util
.
$ kubectl psp-util list
PSP ClusterRole ClusterRoleBinding NS/Role NS/RoleBinding Managed
eks.privileged eks:podsecuritypolicy:privileged eks:podsecuritypolicy:authenticated false
pod-security-policy-all-20200702180710 psp-util.pod-security-policy-all-20200702180710 psp-util.pod-security-policy-all-20200702180710 true
restricted psp-util.restricted psp-util.restricted true
myapp default/myapp default/myapp false
tree
shows the relations between PSP and Subjects by tree expressions.
$ kubectl psp-util tree
📙 PSP eks.privileged
└── 📕 ClusterRole eks:podsecuritypolicy:privileged
└── 📘 ClusterRoleBinding eks:podsecuritypolicy:authenticated
└── 📗 Subject{Kind: Group, Name: system:master, Namespace: }
└── 📗 Subject{Kind: ServiceAccount, Name: default, Namespace: kube-system}
📙 PSP pod-security-policy-all-20200702180710
└── 📕 ClusterRole psp-util.pod-security-policy-all-20200702180710
└── 📘 ClusterRoleBinding psp-util.pod-security-policy-all-20200702180710
└── 📗 Subject{Kind: Group, Name: system:authenticated, Namespace: }
📙 PSP restricted
└── 📕 ClusterRole psp-util.restricted
└── 📘 ClusterRoleBinding psp-util.restricted
└── 📗 Subject{Kind: Group, Name: my:group, Namespace: }
└── 📗 Subject{Kind: ServiceAccount, Name: default, Namespace: default}
📙 PSP myapp
└── 📓 Role default/myapp
└── 📓 RoleBinding default/myapp
└── 📗 Subject{Kind: ServiceAccount, Name: myapp, Namespace: default}
attach
attaches PSP to Subjects(Group, User or ServiceAccount).
Usage:
psp-util attach PSP [ --group | --user | --sa ] SUBJECT-NAME [flags]
Flags:
-g, --group string set Subject's Name and use Kind Group
-u, --user string set Subject's Name and use Kind User
-s, --sa string set Subject's Name and use Kind ServiceAccount
-n, --namespace string set Subject's Namespace (only used when kind is ServiceAccount)
--api-group string set Subject's APIGroup
--kind string set Subject's Kind
--name string set Subject's Name
If there is no managed ClusterRole and ClusterRoleBinding associated with the given PSP, it will generate them automaticaly.
Attaching my-psp
to Group system:authenticated
.
$ kubectl psp-util attach my-psp --group system:authenticated
Attaching my-psp
to default
ServiceAccount in kube-system
namespace.
$ kubectl psp-util attach my-psp --sa default -n kube-system
Or, you can set all Subject's info directly.
$ kubectl psp-util attach my-psp --api-group=rbac.authorization.k8s.io --kind=Group --name=system:authenticated
detach
detached a Subject from PSP.
It removes the Subject from the ClusterRoleBinding only if there is a managed ClusterRoleBinding in cluster.
All the options are the same as for the attach
command.
Usage:
psp-util detach PSP-NAME [ --group | --user | --sa ] SUBJECT-NAME [flags]
Flags:
-g, --group string set Subject's Name and use Kind Group
-u, --user string set Subject's Name and use Kind User
-s, --sa string set Subject's Name and use Kind ServiceAccount
-n, --namespace string set Subject's Namespace (only used when kind is ServiceAccount)
--api-group string set Subject's APIGroup
--kind string set Subject's Kind
--name string set Subject's Name
clean
delete a managed ClusterRole and ClusterRoleBinding.
NOTE: It does not delete the given PSP resource and non-managed ClusterRole and ClusterRoleBinding.
Usage:
psp-util clean PSP-NAME
Create PSP by using kube-psp-advisor.
$ kubectl advise-psp inspect | kubectl apply -f -
See the PSP has been created.
$ kubectl psp-util list
PSP ClusterRole ClusterRoleBinding Managed
eks.privileged eks:podsecuritypolicy:privileged eks:podsecuritypolicy:authenticated false
pod-security-policy-all-20200702180710
Attach the PSP to Group named system:serviceaccounts:default
$ kubectl psp-util attach pod-security-policy-all-20200702180710 --group system:serviceaccounts:default
Managed ClusterRole is not found...Created
Managed ClusterRoleBinding is not found...Created
Then you can see a ClusterRole and ClusterRoleBinding are created and the PSP is effective to the Subject.
$ kubectl psp-util list
PSP ClusterRole ClusterRoleBinding Managed
eks.privileged eks:podsecuritypolicy:privileged eks:podsecuritypolicy:authenticated false
pod-security-policy-all-20200702180710 psp-util.pod-security-policy-all-20200702180710 pdp-util.pod-security-policy-all-20200702180710 true
$ kubectl psp-util tree
📙 PSP eks.privileged
└── 📕 ClusterRole eks:podsecuritypolicy:privileged
└── 📘 ClusterRoleBinding eks:podsecuritypolicy:authenticated
└── 📗 Subject{Kind: Group, Name: system:authenticated, Namespace: }
📙 PSP pod-security-policy-all-20200702180710
└── 📕 ClusterRole psp-util.pod-security-policy-all-20200702180710
└── 📘 ClusterRoleBinding psp-util.pod-security-policy-all-20200702180710
└── 📗 Subject{Kind: Group, Name: system:serviceaccounts:default, Namespace: }
$ kubectl describe clusterrolebindings psp-util.pod-security-policy-all-20200702180710
Name: psp-util.pod-security-policy-all-20200702180710
Labels: <none>
Annotations: psp-util.k8s.jlandowner.com/psp: pod-security-policy-all-20200702180710
Role:
Kind: ClusterRole
Name: psp-util.pod-security-policy-all-20200702180710
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:serviceaccounts:default
Apache License Version 2.0 Copyright 2020 jlandowner