Skip to content

Instantly share code, notes, and snippets.

@jasonkeene

jasonkeene/README.md

Last active November 30, 2018 23:03
Show Gist options
  • Save jasonkeene/25dca9a59040b000cc9f526755408f9e to your computer and use it in GitHub Desktop.
Save jasonkeene/25dca9a59040b000cc9f526755408f9e to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes God Mode PodSecurityPolicy
Raw
README.md

God Mode

This PodSecurityPolicy allows pretty much anything to run in a given namespace.

The Role and RoleBinding are namespaced objects so when you apply it you should make sure it gets applied to the appropriate namespace.

Also, delete this when you are done.

Usage:

kubectl apply -n foo -f https://gist.githubusercontent.com/jasonkeene/25dca9a59040b000cc9f526755408f9e/raw/c81b281460dc87626a6ff4b2b3710633f8a9f462/god-mode.yml
kubectl delete -n foo -f https://gist.githubusercontent.com/jasonkeene/25dca9a59040b000cc9f526755408f9e/raw/c81b281460dc87626a6ff4b2b3710633f8a9f462/god-mode.yml
Raw
god-mode.yml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: god-mode
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: god-mode
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- god-mode
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: god-mode
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: Role
name: god-mode
apiGroup: rbac.authorization.k8s.io
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment