mirror of https://gerrit.hackerspace.pl/hscloud
122 lines
3.9 KiB
Plaintext
122 lines
3.9 KiB
Plaintext
|
local kube = import "kube.libsonnet";
|
||
|
|
||
|
{
|
||
|
local policies = self,
|
||
|
|
||
|
policyNameAllowInsecure: "policy:allow-insecure",
|
||
|
policyNameAllowSecure: "policy:allow-secure",
|
||
|
|
||
|
Cluster: {
|
||
|
insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
|
||
|
spec: {
|
||
|
privileged: true,
|
||
|
allowPrivilegeEscalation: true,
|
||
|
allowedCapabilities: ['*'],
|
||
|
volumes: ['*'],
|
||
|
hostNetwork: true,
|
||
|
hostIPC: true,
|
||
|
hostPID: true,
|
||
|
runAsUser: {
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
seLinux: {
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
supplementalGroups: {
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
fsGroup: {
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
|
||
|
rules: [
|
||
|
{
|
||
|
apiGroups: ['policy'],
|
||
|
resources: ['podsecuritypolicies'],
|
||
|
verbs: ['use'],
|
||
|
resourceNames: ['insecure'],
|
||
|
}
|
||
|
],
|
||
|
},
|
||
|
secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
|
||
|
spec: {
|
||
|
privileged: false,
|
||
|
# Required to prevent escalations to root.
|
||
|
allowPrivilegeEscalation: false,
|
||
|
# This is redundant with non-root + disallow privilege escalation,
|
||
|
# but we can provide it for defense in depth.
|
||
|
requiredDropCapabilities: ["ALL"],
|
||
|
# Allow core volume types.
|
||
|
volumes: [
|
||
|
'configMap',
|
||
|
'emptyDir',
|
||
|
'projected',
|
||
|
'secret',
|
||
|
'downwardAPI',
|
||
|
'persistentVolumeClaim',
|
||
|
],
|
||
|
hostNetwork: false,
|
||
|
hostIPC: false,
|
||
|
hostPID: false,
|
||
|
runAsUser: {
|
||
|
# Allow to run as root - docker, we trust you here.
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
seLinux: {
|
||
|
rule: 'RunAsAny',
|
||
|
},
|
||
|
supplementalGroups: {
|
||
|
rule: 'MustRunAs',
|
||
|
ranges: [
|
||
|
{
|
||
|
# Forbid adding the root group.
|
||
|
min: 1,
|
||
|
max: 65535,
|
||
|
}
|
||
|
],
|
||
|
},
|
||
|
fsGroup: {
|
||
|
rule: 'MustRunAs',
|
||
|
ranges: [
|
||
|
{
|
||
|
# Forbid adding the root group.
|
||
|
min: 1,
|
||
|
max: 65535,
|
||
|
}
|
||
|
],
|
||
|
},
|
||
|
readOnlyRootFilesystem: false,
|
||
|
},
|
||
|
},
|
||
|
secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
|
||
|
rules: [
|
||
|
{
|
||
|
apiGroups: ['policy'],
|
||
|
resources: ['podsecuritypolicies'],
|
||
|
verbs: ['use'],
|
||
|
resourceNames: ['secure'],
|
||
|
},
|
||
|
],
|
||
|
},
|
||
|
},
|
||
|
|
||
|
# Allow insecure access to all service accounts in a given namespace.
|
||
|
AllowNamespaceInsecure(namespace): {
|
||
|
rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
|
||
|
metadata+: {
|
||
|
namespace: namespace,
|
||
|
},
|
||
|
roleRef_: policies.Cluster.insecureRole,
|
||
|
subjects: [
|
||
|
{
|
||
|
kind: "Group",
|
||
|
apiGroup: "rbac.authorization.k8s.io",
|
||
|
name: "system:serviceaccounts",
|
||
|
}
|
||
|
],
|
||
|
},
|
||
|
},
|
||
|
}
|