Skip to content

Instantly share code, notes, and snippets.

@abihf
Created February 25, 2020 15:41
Show Gist options
  • Save abihf/9f3f585bc1fc5515d4bced80314c573d to your computer and use it in GitHub Desktop.
Save abihf/9f3f585bc1fc5515d4bced80314c573d to your computer and use it in GitHub Desktop.
EKS Restricted pod security policy

You might want to add some service account to ClusterRoleBinding/psp:privileged

kubectl apply -f eks-restricted-psp.yml

# delete default role binding
kubectl delete clusterrolebinding eks:podsecuritypolicy:authenticated
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
name: eks.restricted
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: []
requiredDropCapabilities:
- ALL
hostIPC: false
hostNetwork: false
hostPID: false
readOnlyRootFilesystem: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:privileged
rules:
- apiGroups:
- extensions
resourceNames:
- eks.privileged
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:restricted
rules:
- apiGroups:
- extensions
resourceNames:
- eks.restricted
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp:privileged
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:privileged
subjects:
- kind: ServiceAccount
name: aws-node
namespace: kube-system
- kind: ServiceAccount
name: kube-proxy
namespace: kube-system
- kind: ServiceAccount
name: coredns
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp:restricted
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment