local kube = import "kube.libsonnet";

{
    local policies = self,

    policyNameAllowInsecure: "policy:allow-insecure",
    policyNameAllowSecure: "policy:allow-secure",

    Cluster: {
        insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
            spec: {
                privileged: true,
                allowPrivilegeEscalation: true,
                allowedCapabilities: ['*'],
                volumes: ['*'],
                hostNetwork: true,
                hostIPC: true,
                hostPID: true,
                runAsUser: {
                    rule: 'RunAsAny',
                },
                seLinux: {
                    rule: 'RunAsAny',
                },
                supplementalGroups: {
                    rule: 'RunAsAny',
                },
                fsGroup: {
                    rule: 'RunAsAny',
                },
            },
        },
        insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
            rules: [
                {
                    apiGroups: ['policy'],
                    resources: ['podsecuritypolicies'],
                    verbs: ['use'],
                    resourceNames: ['insecure'],
                }
            ],
        },
        secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
            spec: {
                privileged: false,
                # Required to prevent escalations to root.
                allowPrivilegeEscalation: false,
                # This is redundant with non-root + disallow privilege escalation,
                # but we can provide it for defense in depth.
                requiredDropCapabilities: ["ALL"],
                # Allow core volume types.
                volumes: [
                    'configMap',
                    'emptyDir',
                    'projected',
                    'secret',
                    'downwardAPI',
                    'persistentVolumeClaim',
                ],
                hostNetwork: false,
                hostIPC: false,
                hostPID: false,
                runAsUser: {
                    # Allow to run as root - docker, we trust you here.
                    rule: 'RunAsAny',
                },
                seLinux: {
                    rule: 'RunAsAny',
                },
                supplementalGroups: {
                    rule: 'MustRunAs',
                    ranges: [
                        {
                            # Forbid adding the root group.
                            min: 1,
                            max: 65535,
                        }
                    ],
                },
                fsGroup: {
                    rule: 'MustRunAs',
                    ranges: [
                        {
                            # Forbid adding the root group.
                            min: 1,
                            max: 65535,
                        }
                    ],
                },
                readOnlyRootFilesystem: false,
            },
        },
        secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
            rules: [
                {
                    apiGroups: ['policy'],
                    resources: ['podsecuritypolicies'],
                    verbs: ['use'],
                    resourceNames: ['secure'],
                },
            ],
        },
    },

    # Allow insecure access to all service accounts in a given namespace.
    AllowNamespaceInsecure(namespace): {
        rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
            metadata+: {
                namespace: namespace,
            },
            roleRef_: policies.Cluster.insecureRole,
            subjects: [
                {
                    kind: "Group",
                    apiGroup: "rbac.authorization.k8s.io",
                    name: "system:serviceaccounts",
                }
            ],
        },
    },
}