aws-node-termination-handler-psp RoleBinding lives in default namespace

[gabegorelick]

The aws-node-termination-handler-psp RoleBinding references the aws-node-termination-handler ServiceAccount in kube-system. But the RoleBinding itself does not specify a namespace.
Note the lack of namespace under metadata:

aws-node-termination-handler/config/helm/aws-node-termination-handler/templates/psp.yaml

Lines 48 to 62 in 85e022b

	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ template "aws-node-termination-handler.fullname" . }}-psp
	labels:
	{{ include "aws-node-termination-handler.labels" . | indent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: {{ template "aws-node-termination-handler.fullname" . }}-psp
	subjects:
	- kind: ServiceAccount
	name: {{ template "aws-node-termination-handler.serviceAccountName" . }}
	namespace: {{ .Release.Namespace }}
	{{- end }}

As such, it gets installed into the default namespace.

$ kubectl get rolebindings -n default
NAME                               ROLE                                           AGE
aws-node-termination-handler-psp   ClusterRole/aws-node-termination-handler-psp   15h

I'm not an expert in Kubernetes RBAC or PSPs, so apologies if this is off base, but according to https://kubernetes.io/docs/concepts/policy/pod-security-policy/, it seems like the PSP will have no effect since the RoleBinding doesn't grant access to the namespace that NTH actually runs in (kube-system):

When a PodSecurityPolicy resource is created, it does nothing. In order to use it, the requesting user or target pod's service account must be authorized to use the policy, by allowing the use verb on the policy.

[haugenj]

I think the PSP is working, we had an issue a while back where there were missing hostports in the PSP for the prometheus server, which caused the pods to fail #365

[gabegorelick]

I think the PSP is working, we had an issue a while back where there were missing hostports in the PSP for the prometheus server, which caused the pods to fail #365

Even if the PSP is working somehow, I'd still consider it a bug to install into the default namespace, unless there's some reason that needs to happen.

As far as I know, this is the only (non cluster-level) NTH resource that doesn't get installed into kube-system (or whatever namespace you specify). So it seems weird.

[bwagner5]

fixed, thanks for bringing this up. I'm still not entirely sure how this worked in the first place....