Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apiVersion: extensions/v1beta1
- kind: PodSecurityPolicy
- metadata:
- name: privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
- spec:
- privileged: true
- allowPrivilegeEscalation: true
- allowedCapabilities:
- - "*"
- volumes:
- - "*"
- hostNetwork: true
- hostPorts:
- - min: 0
- max: 65535
- hostIPC: true
- hostPID: true
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
- ---
- apiVersion: extensions/v1beta1
- kind: PodSecurityPolicy
- metadata:
- name: restricted
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- spec:
- privileged: false
- # Required to prevent escalations to root.
- allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- requiredDropCapabilities:
- - ALL
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- # Assume that persistentVolumes set up by the cluster admin are safe to use.
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- # Require the container to run without root privileges.
- rule: 'MustRunAsNonRoot'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: psp:privileged
- rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- - privileged
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: psp:restricted
- rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- - restricted
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: default:restricted
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:restricted
- subjects:
- - kind: Group
- name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: default:privileged
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:privileged
- subjects:
- - kind: Group
- name: system:serviceaccounts:kube-system
- apiGroup: rbac.authorization.k8s.io
- - kind: Group
- name: system:serviceaccounts:monitoring
- apiGroup: rbac.authorization.k8s.io
- - kind: Group
- name: system:serviceaccounts:logging
- apiGroup: rbac.authorization.k8s.io
- - kind: Group
- name: system:serviceaccounts:ingress-controllers
- apiGroup: rbac.authorization.k8s.io
Add Comment
Please, Sign In to add comment