Kubernetes
If RBAC is enabled in your cluster, you might get the following error when trying to create a Defender DaemonSet.
Error creating: pods "twistlock-defender-ds-" is forbidden: unable to validate against any pod security policy ..Privileged containers are not allowed
If you get this error, then you must create a Role and RoleBinding so that Defender can run with the privileges it needs. Create a Role and RoleBinding for the twistlock namespace. You can use the following example Role and RoleBinding:
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: twistlock-role
namespace: twistlock
rules:
- apiGroups:
- extensions
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use
RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: twistlock-rolebinding
namespace: twistlock
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: twistlock-role
subjects:
- kind: ServiceAccount
name: twistlock-service
namespace: twistlock