Created
December 11, 2020 21:26
-
-
Save funkypenguin/e8ed46c118a4b77af066400fa8c88f28 to your computer and use it in GitHub Desktop.
psp-for-istio-cni
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: istio-cni-node | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: | |
allowedHostPaths: | |
- pathPrefix: "/opt/cni/bin" | |
- pathPrefix: "/etc/cni/net.d" | |
privileged: false | |
allowPrivilegeEscalation: true | |
defaultAllowPrivilegeEscalation: false | |
requiredDropCapabilities: | |
- ALL | |
# Allow non-persistent volume types. | |
volumes: | |
- 'configMap' | |
- 'emptyDir' | |
- 'projected' | |
- 'secret' | |
- 'downwardAPI' | |
- 'hostPath' | |
hostNetwork: true | |
hostIPC: false | |
hostPID: false | |
runAsUser: | |
# Istio containers don't run as non-root, so until this is fixed, we have to permit this | |
rule: 'RunAsAny' | |
seLinux: | |
# This policy assumes the nodes are using AppArmor rather than SELinux. | |
rule: 'RunAsAny' | |
supplementalGroups: | |
rule: 'RunAsAny' | |
fsGroup: | |
rule: 'RunAsAny' | |
readOnlyRootFilesystem: false | |
--- | |
# Cluster role which grants access to the default pod security policy | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: psp-istio-cni-node | |
rules: | |
- apiGroups: | |
- policy | |
resourceNames: | |
- istio-cni-node | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
# Cluster role binding for default pod security policy granting all authenticated users access | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: psp-istio-cni-node | |
namespace: istio-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp-istio-cni-node | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:nodes | |
# For all service accounts in the kube-system namespace | |
- kind: ServiceAccount | |
name: istio-cni |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment