Prisma Cloud Compute: Error creating pods "twistlock-defender-ds-" is forbidden: unable to validate against any pod security policy. Privileged containers are not allowed
8222
Created On 11/18/19 18:09 PM - Last Modified 12/20/23 17:50 PM
Symptom
If RBAC is enabled in your cluster, you might get the following error when trying to create a Defender DaemonSet.
Error creating: pods "twistlock-defender-ds-" is forbidden: unable to validate against any pod security policy .
Environment
- SaaS
- Self-Hosted 19.11 or later
Resolution
If you get this error, then you must create a Role and RoleBinding so that Defender can run with the privileges it needs. Create a Role and RoleBinding for the twistlock namespace. You can use the following example Role and RoleBinding:
Role
1. Create a YAML file with the following contents
vi twistlock_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: twistlock-role
namespace: twistlock
rules:
- apiGroups:
- extensions
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use
kind: Role
metadata:
name: twistlock-role
namespace: twistlock
rules:
- apiGroups:
- extensions
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use
2. Create the role in kubernetes
kubectl apply -f twistlock_role.yaml
RoleBinding
3. Create a YAML file for the role binding
vi twistlock_rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: twistlock-rolebinding
namespace: twistlock
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: twistlock-role
subjects:
- kind: ServiceAccount
name: twistlock-service
namespace: twistlock
kind: RoleBinding
metadata:
name: twistlock-rolebinding
namespace: twistlock
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: twistlock-role
subjects:
- kind: ServiceAccount
name: twistlock-service
namespace: twistlock
4. Create the role binding in kubernetes
kubectl apply -f twistlock_rolebinding.yaml
kubectl apply -f twistlock_rolebinding.yaml