apiVersion: extensions/v1beta1kind: PodSecurityPolicymetadata: name: privile

1. apiVersion: extensions/v1beta1
2. kind: PodSecurityPolicy
3. metadata:
4. name: privileged
5. annotations:
6. seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
7. spec:
8. privileged: true
9. allowPrivilegeEscalation: true
10. allowedCapabilities:
11. - "*"
12. volumes:
13. - "*"
14. hostNetwork: true
15. hostPorts:
16. - min: 0
17. max: 65535
18. hostIPC: true
19. hostPID: true
20. runAsUser:
21. rule: 'RunAsAny'
22. seLinux:
23. rule: 'RunAsAny'
24. supplementalGroups:
25. rule: 'RunAsAny'
26. fsGroup:
27. rule: 'RunAsAny'
28. ---
29. apiVersion: extensions/v1beta1
30. kind: PodSecurityPolicy
31. metadata:
32. name: restricted
33. annotations:
34. seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
35. seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
36. spec:
37. privileged: false
38. # Required to prevent escalations to root.
39. allowPrivilegeEscalation: false
40. # This is redundant with non-root + disallow privilege escalation,
41. # but we can provide it for defense in depth.
42. requiredDropCapabilities:
43. - ALL
44. # Allow core volume types.
45. volumes:
46. - 'configMap'
47. - 'emptyDir'
48. - 'projected'
49. - 'secret'
50. - 'downwardAPI'
51. # Assume that persistentVolumes set up by the cluster admin are safe to use.
52. - 'persistentVolumeClaim'
53. hostNetwork: false
54. hostIPC: false
55. hostPID: false
56. runAsUser:
57. # Require the container to run without root privileges.
58. rule: 'MustRunAsNonRoot'
59. seLinux:
60. # This policy assumes the nodes are using AppArmor rather than SELinux.
61. rule: 'RunAsAny'
62. supplementalGroups:
63. rule: 'MustRunAs'
64. ranges:
65. # Forbid adding the root group.
66. - min: 1
67. max: 65535
68. fsGroup:
69. rule: 'MustRunAs'
70. ranges:
71. # Forbid adding the root group.
72. - min: 1
73. max: 65535
74. readOnlyRootFilesystem: false
75. ---
76. apiVersion: rbac.authorization.k8s.io/v1
77. kind: ClusterRole
78. metadata:
79. name: psp:privileged
80. rules:
81. - apiGroups: ['extensions']
82. resources: ['podsecuritypolicies']
83. verbs: ['use']
84. resourceNames:
85. - privileged
86. ---
87. apiVersion: rbac.authorization.k8s.io/v1
88. kind: ClusterRole
89. metadata:
90. name: psp:restricted
91. rules:
92. - apiGroups: ['extensions']
93. resources: ['podsecuritypolicies']
94. verbs: ['use']
95. resourceNames:
96. - restricted
97. ---
98. apiVersion: rbac.authorization.k8s.io/v1
99. kind: ClusterRoleBinding
100. metadata:
101. name: default:restricted
102. roleRef:
103. apiGroup: rbac.authorization.k8s.io
104. kind: ClusterRole
105. name: psp:restricted
106. subjects:
107. - kind: Group
108. name: system:authenticated
109. apiGroup: rbac.authorization.k8s.io
110. ---
111. apiVersion: rbac.authorization.k8s.io/v1
112. kind: ClusterRoleBinding
113. metadata:
114. name: default:privileged
115. roleRef:
116. apiGroup: rbac.authorization.k8s.io
117. kind: ClusterRole
118. name: psp:privileged
119. subjects:
120. - kind: Group
121. name: system:serviceaccounts:kube-system
122. apiGroup: rbac.authorization.k8s.io
123. - kind: Group
124. name: system:serviceaccounts:monitoring
125. apiGroup: rbac.authorization.k8s.io
126. - kind: Group
127. name: system:serviceaccounts:logging
128. apiGroup: rbac.authorization.k8s.io
129. - kind: Group
130. name: system:serviceaccounts:ingress-controllers
131. apiGroup: rbac.authorization.k8s.io