After enabling PodSecurityPolicy admission controller in a kubeadm cluster, one might forget to create policy for mirror pods until finding it out in a hard way when upgrading the cluster.
When creating static pods, kubelet also creates mirror pods on API server. Kubelets are under
Here is a not so strict one that I composed:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: nodes annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default spec: privileged: false defaultAllowPrivilegeEscalation: false allowedCapabilities:  volumes: - hostPath allowedHostPaths: - pathPrefix: /etc - pathPrefix: /usr - pathPrefix: /var/lib/etcd forbiddenSysctls: - '*' hostIPC: false hostNetwork: true hostPID: false seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' runAsUser: rule: 'RunAsAny'
I tested it with static pods created by kubeadm, that is, kube-apiserver, kube-controller-manager, kube-scheduler and etcd.
Obiviously this can be futher improved by composing the policy with only what those pods need.
The corresposing ClusterRole and ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp-nodes rules: - apiGroups: - policy resources: - podsecuritypolicies verbs: - use resourceNames: - nodes
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: psp-nodes roleRef: kind: ClusterRole name: psp-nodes apiGroup: rbac.authorization.k8s.io subjects: - kind: Group name: system:nodes apiGroup: rbac.authorization.k8s.io