PhilipSchmid/k8s-rbac-example.yaml

## k8s-rbac-example.yaml
---
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# Attention: This PSP has quite some loose restrictions! Do not just copy & paste it!
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
---
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token
apiVersion: v1
kind: ServiceAccount
metadata:
  name: exampletest
  namespace: default
---
# Can sometimes also be a ClusterRole - depending on the use case.
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: exampletest-role
  namespace: default
rules:
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - example
---
# Can sometimes also be a ClusterBinding - depending on the use case.
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: exampletest-rolebinding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: exampletest-role
subjects:
- kind: ServiceAccount
  name:  exampletest
  namespace: default
---
# Required with the RBAC stuff above -> ServiceAccount: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
# Optional -> SecurityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
apiVersion: v1
kind: Pod
metadata:
  name: exampletest
  namespace: default
spec:
  serviceAccountName: exampletest
  containers:
  - args:
    - "/bin/sleep"
    - "3600"
    image: alpine:3.12
    name: exampletest
    securityContext:
      privileged: true
	---
	# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
	# Attention: This PSP has quite some loose restrictions! Do not just copy & paste it!
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: example
	spec:
	allowPrivilegeEscalation: true
	allowedCapabilities:
	- '*'
	fsGroup:
	rule: RunAsAny
	hostNetwork: true
	privileged: true
	runAsUser:
	rule: RunAsAny
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- '*'
	---
	# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: exampletest
	namespace: default
	---
	# Can sometimes also be a ClusterRole - depending on the use case.
	# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: exampletest-role
	namespace: default
	rules:
	- apiGroups:
	- policy
	resources:
	- podsecuritypolicies
	verbs:
	- use
	resourceNames:
	- example
	---
	# Can sometimes also be a ClusterBinding - depending on the use case.
	# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: exampletest-rolebinding
	namespace: default
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: exampletest-role
	subjects:
	- kind: ServiceAccount
	name: exampletest
	namespace: default
	---
	# Required with the RBAC stuff above -> ServiceAccount: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
	# Optional -> SecurityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
	apiVersion: v1
	kind: Pod
	metadata:
	name: exampletest
	namespace: default
	spec:
	serviceAccountName: exampletest
	containers:
	- args:
	- "/bin/sleep"
	- "3600"
	image: alpine:3.12
	name: exampletest
	securityContext:
	privileged: true