forked from hswaw/hscloud
169 lines
5.5 KiB
Plaintext
169 lines
5.5 KiB
Plaintext
local kube = import "kube.libsonnet";
|
|
|
|
{
|
|
local policies = self,
|
|
|
|
policyNameAllowInsecure: "policy:allow-insecure",
|
|
policyNameAllowSecure: "policy:allow-secure",
|
|
policyNameAllowMostlySecure: "policy:allow-mostlysecure",
|
|
|
|
Cluster: {
|
|
local cluster = self,
|
|
|
|
// Insecure: allowing creation of these pods allows you to pwn the entire cluster.
|
|
insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
|
|
spec: {
|
|
privileged: true,
|
|
allowPrivilegeEscalation: true,
|
|
allowedCapabilities: ['*'],
|
|
volumes: ['*'],
|
|
hostNetwork: true,
|
|
hostPorts: [
|
|
{ max: 40000, min: 1 },
|
|
],
|
|
hostIPC: true,
|
|
hostPID: true,
|
|
runAsUser: {
|
|
rule: 'RunAsAny',
|
|
},
|
|
seLinux: {
|
|
rule: 'RunAsAny',
|
|
},
|
|
supplementalGroups: {
|
|
rule: 'RunAsAny',
|
|
},
|
|
fsGroup: {
|
|
rule: 'RunAsAny',
|
|
},
|
|
},
|
|
},
|
|
insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
|
|
rules: [
|
|
{
|
|
apiGroups: ['policy'],
|
|
resources: ['podsecuritypolicies'],
|
|
verbs: ['use'],
|
|
resourceNames: ['insecure'],
|
|
}
|
|
],
|
|
},
|
|
|
|
// Secure: very limited subset of security policy, everyone is allowed
|
|
// to spawn containers of this kind.
|
|
secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
|
|
spec: {
|
|
privileged: false,
|
|
# Required to prevent escalations to root.
|
|
allowPrivilegeEscalation: false,
|
|
# This is redundant with non-root + disallow privilege escalation,
|
|
# but we can provide it for defense in depth.
|
|
requiredDropCapabilities: ["ALL"],
|
|
# Allow core volume types.
|
|
volumes: [
|
|
'configMap',
|
|
'emptyDir',
|
|
'projected',
|
|
'secret',
|
|
'downwardAPI',
|
|
'persistentVolumeClaim',
|
|
],
|
|
hostNetwork: false,
|
|
hostIPC: false,
|
|
hostPID: false,
|
|
runAsUser: {
|
|
# Allow to run as root - docker, we trust you here.
|
|
rule: 'RunAsAny',
|
|
},
|
|
seLinux: {
|
|
rule: 'RunAsAny',
|
|
},
|
|
supplementalGroups: {
|
|
rule: 'MustRunAs',
|
|
ranges: [
|
|
{
|
|
# Forbid adding the root group.
|
|
min: 1,
|
|
max: 65535,
|
|
}
|
|
],
|
|
},
|
|
fsGroup: {
|
|
rule: 'MustRunAs',
|
|
ranges: [
|
|
{
|
|
# Forbid adding the root group.
|
|
min: 1,
|
|
max: 65535,
|
|
}
|
|
],
|
|
},
|
|
readOnlyRootFilesystem: false,
|
|
},
|
|
},
|
|
secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
|
|
rules: [
|
|
{
|
|
apiGroups: ['policy'],
|
|
resources: ['podsecuritypolicies'],
|
|
verbs: ['use'],
|
|
resourceNames: ['secure'],
|
|
},
|
|
],
|
|
},
|
|
|
|
// MostlySecure: like secure, but allows for setuid inside containers.
|
|
mostlySecure: cluster.secure {
|
|
metadata+: {
|
|
name: "mostlysecure",
|
|
},
|
|
spec+: {
|
|
allowPrivilegeEscalation: true,
|
|
},
|
|
},
|
|
mostlySecureRole: kube.ClusterRole(policies.policyNameAllowMostlySecure) {
|
|
rules: [
|
|
{
|
|
apiGroups: ['policy'],
|
|
resources: ['podsecuritypolicies'],
|
|
verbs: ['use'],
|
|
resourceNames: ['mostlysecure'],
|
|
},
|
|
],
|
|
},
|
|
},
|
|
|
|
# Allow insecure access to all service accounts in a given namespace.
|
|
AllowNamespaceInsecure(namespace): {
|
|
rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
|
|
metadata+: {
|
|
namespace: namespace,
|
|
},
|
|
roleRef_: policies.Cluster.insecureRole,
|
|
subjects: [
|
|
{
|
|
kind: "Group",
|
|
apiGroup: "rbac.authorization.k8s.io",
|
|
name: "system:serviceaccounts",
|
|
}
|
|
],
|
|
},
|
|
},
|
|
|
|
# Allow mostlysecure access to all service accounts in a given namespace.
|
|
AllowNamespaceMostlySecure(namespace): {
|
|
rb: kube.RoleBinding("policy:allow-mostlysecure-in-" + namespace) {
|
|
metadata+: {
|
|
namespace: namespace,
|
|
},
|
|
roleRef_: policies.Cluster.mostlySecureRole,
|
|
subjects: [
|
|
{
|
|
kind: "Group",
|
|
apiGroup: "rbac.authorization.k8s.io",
|
|
name: "system:serviceaccounts",
|
|
}
|
|
],
|
|
},
|
|
},
|
|
}
|