Last active
June 14, 2019 19:08
-
-
Save jjo/e8eb71ba22feb7afc48c29c331f510c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
local kube = (import "lib/kube.libsonnet") { | |
PodSecurityPolicy(name):: kube._Object("policy/v1beta1", "PodSecurityPolicy", name) { | |
metadata+: { | |
assert !std.objectHas(self, "namespace"): "PSPs are not namespaced", | |
}, | |
}, | |
}; | |
{ | |
runAsAny:: { rule: "RunAsAny" }, | |
runAsNonRoot:: { rule: "MustRunAs", ranges: [{ min: 1, max: 65535 }] }, | |
saneVolumes:: ['configMap', 'secret', 'emptyDir', 'projected', 'downwardAPI', 'persistentVolumeClaim'], | |
/* psp_FOO policies below are "chained" to further restrict what they can do */ | |
// Allowing all: privileged, host stuff, as root | |
// use-case: workloads requiring host mounts, networking (e.g. CNI pods), etc | |
psp_privileged: kube.PodSecurityPolicy("privileged") { | |
spec+: { | |
allowedCapabilities: ['*'], | |
privileged: true, | |
allowPrivilegeEscalation: true, | |
hostNetwork: true, | |
hostIPC: true, | |
hostPID: true, | |
hostPorts: [{ min: 1, max: 65535 }], | |
runAsUser: $.runAsAny, | |
fsGroup: $.runAsAny, | |
supplementalGroups: $.runAsAny, | |
seLinux: $.runAsAny, | |
volumes: ["*"], | |
}, | |
}, | |
// Allowing root but void using/modifying host resources | |
// use-case: most typical root containers | |
psp_mayroot: self.psp_privileged { | |
metadata+: { name: "mayroot" }, | |
spec+: { | |
privileged: false, | |
allowPrivilegeEscalation: false, | |
hostNetwork: false, | |
hostIPC: false, | |
hostPID: false, | |
forbiddenSysctls: ['*'], | |
// void hostPath for volumes | |
volumes: $.saneVolumes, | |
hostPorts: [], | |
}, | |
}, | |
// Forcing non root | |
// use-case: non-root, similar to openshift restrictions | |
psp_nonroot: self.psp_mayroot { | |
metadata+: { name: "nonroot" }, | |
spec+: { | |
runAsUser: { rule: "MustRunAsNonRoot" }, | |
fsGroup: $.runAsNonRoot, | |
supplementalGroups: $.runAsNonRoot, | |
}, | |
}, | |
// Most restrictive, forcing capabilities drop | |
psp_restrictive: self.psp_nonroot { | |
metadata+: { name: "restrictive" }, | |
spec+: { | |
// readOnlyRootFilesystem: true, | |
requiredDropCapabilities: ['ALL'], | |
allowedCapabilities: [], | |
}, | |
}, | |
usePSP:: { | |
apiGroups: ["policy"], | |
resources: ["podsecuritypolicies"], | |
verbs: ["use"], | |
}, | |
pspBind(psp, subjects, namespace):: { | |
local this = self, | |
local roleName(pspName, ns) = "psp:%s:%s" % [ if ns != null then ns else "", pspName ], | |
local kindCRB(ns) = if ns != null then "RoleBinding" else "ClusterRoleBinding", | |
local meta(ns) = if ns != null then { namespace: ns } else {}, | |
clusterRole: kube.ClusterRole('psp:' + psp.metadata.name) { | |
rules: [ $.usePSP { resourceNames: [psp.metadata.name] } ], | |
}, | |
roleBinding: kube.RoleBinding(roleName(psp.metadata.name, namespace)) { | |
kind: kindCRB(namespace), | |
metadata+: meta(namespace), | |
roleRef_: this.clusterRole, | |
subjects: subjects, | |
}, | |
}, | |
// Cluster-wide default PSP | |
bind_clusterwide: $.pspBind($.psp_mayroot, [ | |
kube.Group("system:authenticated"), | |
kube.Group("system:serviceaccounts"), | |
], null), | |
// kube-system uses psp_privileged | |
bind_kube_system_privileged: $.pspBind($.psp_privileged, [ | |
kube.Group("system:masters"), | |
kube.Group("system:serviceaccounts:kube-system"), | |
kube.Group("system:nodes"), | |
// Legacy node ID | |
kube.User("kubelet"), | |
], "kube-system"), | |
// Example using wider policy on the default NS | |
// bind_default_privileged: $.pspBind($.psp_privileged, [ kube.Group("system:serviceaccounts:default"), ], "default"), | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# output from: kubecfg -J lib psp.jsonnet | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: {} | |
labels: | |
name: privileged | |
name: privileged | |
spec: | |
allowPrivilegeEscalation: true | |
allowedCapabilities: | |
- '*' | |
fsGroup: | |
rule: RunAsAny | |
hostIPC: true | |
hostNetwork: true | |
hostPID: true | |
hostPorts: | |
- max: 65535 | |
min: 1 | |
privileged: true | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- '*' | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: {} | |
labels: | |
name: restrictive | |
name: restrictive | |
spec: | |
allowPrivilegeEscalation: false | |
allowedCapabilities: [] | |
forbiddenSysctls: | |
- '*' | |
fsGroup: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
hostIPC: false | |
hostNetwork: false | |
hostPID: false | |
hostPorts: [] | |
privileged: false | |
requiredDropCapabilities: | |
- ALL | |
runAsUser: | |
rule: MustRunAsNonRoot | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
volumes: | |
- configMap | |
- secret | |
- emptyDir | |
- projected | |
- downwardAPI | |
- persistentVolumeClaim | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
annotations: {} | |
labels: | |
name: psp-mayroot | |
name: psp:mayroot | |
rules: | |
- apiGroups: | |
- policy | |
resourceNames: | |
- mayroot | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
annotations: {} | |
labels: | |
name: psp--mayroot | |
name: psp::mayroot | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp:mayroot | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:authenticated | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
annotations: {} | |
labels: | |
name: psp-privileged | |
name: psp:privileged | |
rules: | |
- apiGroups: | |
- policy | |
resourceNames: | |
- privileged | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
annotations: {} | |
labels: | |
name: psp-kube-system-privileged | |
name: psp:kube-system:privileged | |
namespace: kube-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: psp:privileged | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:masters | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:serviceaccounts:kube-system | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: system:nodes | |
- apiGroup: rbac.authorization.k8s.io | |
kind: User | |
name: kubelet | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: {} | |
labels: | |
name: mayroot | |
name: mayroot | |
spec: | |
allowPrivilegeEscalation: false | |
allowedCapabilities: | |
- '*' | |
forbiddenSysctls: | |
- '*' | |
fsGroup: | |
rule: RunAsAny | |
hostIPC: false | |
hostNetwork: false | |
hostPID: false | |
hostPorts: [] | |
privileged: false | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- configMap | |
- secret | |
- emptyDir | |
- projected | |
- downwardAPI | |
- persistentVolumeClaim | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: {} | |
labels: | |
name: nonroot | |
name: nonroot | |
spec: | |
allowPrivilegeEscalation: false | |
allowedCapabilities: | |
- '*' | |
forbiddenSysctls: | |
- '*' | |
fsGroup: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
hostIPC: false | |
hostNetwork: false | |
hostPID: false | |
hostPorts: [] | |
privileged: false | |
runAsUser: | |
rule: MustRunAsNonRoot | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
volumes: | |
- configMap | |
- secret | |
- emptyDir | |
- projected | |
- downwardAPI | |
- persistentVolumeClaim |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment