jjo/psp.jsonnet

## psp.jsonnet
local kube = (import "lib/kube.libsonnet") {
  PodSecurityPolicy(name):: kube._Object("policy/v1beta1", "PodSecurityPolicy", name) {
    metadata+: {
      assert !std.objectHas(self, "namespace"): "PSPs are not namespaced",
    },
  },
};


{
  runAsAny:: { rule: "RunAsAny" },
  runAsNonRoot:: { rule: "MustRunAs", ranges: [{ min: 1, max: 65535 }] },
  saneVolumes:: ['configMap', 'secret', 'emptyDir', 'projected', 'downwardAPI', 'persistentVolumeClaim'],
  /* psp_FOO policies below are "chained" to further restrict what they can do */

  // Allowing all: privileged, host stuff, as root
  // use-case: workloads requiring host mounts, networking (e.g. CNI pods), etc
  psp_privileged: kube.PodSecurityPolicy("privileged") {
    spec+: {
      allowedCapabilities: ['*'],
      privileged: true,
      allowPrivilegeEscalation: true,
      hostNetwork: true,
      hostIPC: true,
      hostPID: true,
      hostPorts: [{ min: 1, max: 65535 }],
      runAsUser: $.runAsAny,
      fsGroup: $.runAsAny,
      supplementalGroups: $.runAsAny,
      seLinux: $.runAsAny,
      volumes: ["*"],
    },
  },
  // Allowing root but void using/modifying host resources
  // use-case: most typical root containers
  psp_mayroot: self.psp_privileged {
    metadata+: { name: "mayroot" },
    spec+: {
      privileged: false,
      allowPrivilegeEscalation: false,
      hostNetwork: false,
      hostIPC: false,
      hostPID: false,
      forbiddenSysctls: ['*'],
      // void hostPath for volumes
      volumes: $.saneVolumes,
      hostPorts: [],
    },
  },
  // Forcing non root
  // use-case: non-root, similar to openshift restrictions
  psp_nonroot: self.psp_mayroot {
    metadata+: { name: "nonroot" },
    spec+: {
      runAsUser: { rule: "MustRunAsNonRoot" },
      fsGroup: $.runAsNonRoot,
      supplementalGroups: $.runAsNonRoot,
    },
  },
  // Most restrictive, forcing capabilities drop
  psp_restrictive: self.psp_nonroot {
    metadata+: { name: "restrictive" },
    spec+: {
      // readOnlyRootFilesystem: true,
      requiredDropCapabilities: ['ALL'],
      allowedCapabilities: [],
    },
  },
  usePSP:: {
    apiGroups: ["policy"],
    resources: ["podsecuritypolicies"],
    verbs: ["use"],
  },
  pspBind(psp, subjects, namespace):: {
    local this = self,
    local roleName(pspName, ns) = "psp:%s:%s" % [ if ns != null then ns else "", pspName ],
    local kindCRB(ns) = if ns != null then "RoleBinding" else "ClusterRoleBinding",
    local meta(ns) = if ns != null then { namespace: ns } else {},
    clusterRole: kube.ClusterRole('psp:' + psp.metadata.name) {
      rules: [ $.usePSP { resourceNames: [psp.metadata.name] } ],
    },
    roleBinding: kube.RoleBinding(roleName(psp.metadata.name, namespace)) {
      kind: kindCRB(namespace),
      metadata+: meta(namespace),
      roleRef_: this.clusterRole,
      subjects: subjects,
    },
  },
  // Cluster-wide default PSP
  bind_clusterwide: $.pspBind($.psp_mayroot, [
    kube.Group("system:authenticated"),
    kube.Group("system:serviceaccounts"),
  ], null),
  // kube-system uses psp_privileged
  bind_kube_system_privileged: $.pspBind($.psp_privileged, [
    kube.Group("system:masters"),
    kube.Group("system:serviceaccounts:kube-system"),
    kube.Group("system:nodes"),
    // Legacy node ID
    kube.User("kubelet"),
  ], "kube-system"),
  // Example using wider policy on the default NS
  // bind_default_privileged: $.pspBind($.psp_privileged, [ kube.Group("system:serviceaccounts:default"), ], "default"),
}

## psp.out.yaml
# output from: kubecfg -J lib psp.jsonnet
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations: {}
  labels:
    name: privileged
  name: privileged
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 1
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations: {}
  labels:
    name: restrictive
  name: restrictive
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities: []
  forbiddenSysctls:
  - '*'
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  hostIPC: false
  hostNetwork: false
  hostPID: false
  hostPorts: []
  privileged: false
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - secret
  - emptyDir
  - projected
  - downwardAPI
  - persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations: {}
  labels:
    name: psp-mayroot
  name: psp:mayroot
rules:
- apiGroups:
  - policy
  resourceNames:
  - mayroot
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations: {}
  labels:
    name: psp--mayroot
  name: psp::mayroot
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:mayroot
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations: {}
  labels:
    name: psp-privileged
  name: psp:privileged
rules:
- apiGroups:
  - policy
  resourceNames:
  - privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations: {}
  labels:
    name: psp-kube-system-privileged
  name: psp:kube-system:privileged
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:privileged
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:nodes
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubelet
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations: {}
  labels:
    name: mayroot
  name: mayroot
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - '*'
  forbiddenSysctls:
  - '*'
  fsGroup:
    rule: RunAsAny
  hostIPC: false
  hostNetwork: false
  hostPID: false
  hostPorts: []
  privileged: false
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - secret
  - emptyDir
  - projected
  - downwardAPI
  - persistentVolumeClaim
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations: {}
  labels:
    name: nonroot
  name: nonroot
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - '*'
  forbiddenSysctls:
  - '*'
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  hostIPC: false
  hostNetwork: false
  hostPID: false
  hostPorts: []
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - secret
  - emptyDir
  - projected
  - downwardAPI
  - persistentVolumeClaim
	local kube = (import "lib/kube.libsonnet") {
	PodSecurityPolicy(name):: kube._Object("policy/v1beta1", "PodSecurityPolicy", name) {
	metadata+: {
	assert !std.objectHas(self, "namespace"): "PSPs are not namespaced",
	},
	},
	};


	{
	runAsAny:: { rule: "RunAsAny" },
	runAsNonRoot:: { rule: "MustRunAs", ranges: [{ min: 1, max: 65535 }] },
	saneVolumes:: ['configMap', 'secret', 'emptyDir', 'projected', 'downwardAPI', 'persistentVolumeClaim'],
	/* psp_FOO policies below are "chained" to further restrict what they can do */

	// Allowing all: privileged, host stuff, as root
	// use-case: workloads requiring host mounts, networking (e.g. CNI pods), etc
	psp_privileged: kube.PodSecurityPolicy("privileged") {
	spec+: {
	allowedCapabilities: ['*'],
	privileged: true,
	allowPrivilegeEscalation: true,
	hostNetwork: true,
	hostIPC: true,
	hostPID: true,
	hostPorts: [{ min: 1, max: 65535 }],
	runAsUser: $.runAsAny,
	fsGroup: $.runAsAny,
	supplementalGroups: $.runAsAny,
	seLinux: $.runAsAny,
	volumes: ["*"],
	},
	},
	// Allowing root but void using/modifying host resources
	// use-case: most typical root containers
	psp_mayroot: self.psp_privileged {
	metadata+: { name: "mayroot" },
	spec+: {
	privileged: false,
	allowPrivilegeEscalation: false,
	hostNetwork: false,
	hostIPC: false,
	hostPID: false,
	forbiddenSysctls: ['*'],
	// void hostPath for volumes
	volumes: $.saneVolumes,
	hostPorts: [],
	},
	},
	// Forcing non root
	// use-case: non-root, similar to openshift restrictions
	psp_nonroot: self.psp_mayroot {
	metadata+: { name: "nonroot" },
	spec+: {
	runAsUser: { rule: "MustRunAsNonRoot" },
	fsGroup: $.runAsNonRoot,
	supplementalGroups: $.runAsNonRoot,
	},
	},
	// Most restrictive, forcing capabilities drop
	psp_restrictive: self.psp_nonroot {
	metadata+: { name: "restrictive" },
	spec+: {
	// readOnlyRootFilesystem: true,
	requiredDropCapabilities: ['ALL'],
	allowedCapabilities: [],
	},
	},
	usePSP:: {
	apiGroups: ["policy"],
	resources: ["podsecuritypolicies"],
	verbs: ["use"],
	},
	pspBind(psp, subjects, namespace):: {
	local this = self,
	local roleName(pspName, ns) = "psp:%s:%s" % [ if ns != null then ns else "", pspName ],
	local kindCRB(ns) = if ns != null then "RoleBinding" else "ClusterRoleBinding",
	local meta(ns) = if ns != null then { namespace: ns } else {},
	clusterRole: kube.ClusterRole('psp:' + psp.metadata.name) {
	rules: [ $.usePSP { resourceNames: [psp.metadata.name] } ],
	},
	roleBinding: kube.RoleBinding(roleName(psp.metadata.name, namespace)) {
	kind: kindCRB(namespace),
	metadata+: meta(namespace),
	roleRef_: this.clusterRole,
	subjects: subjects,
	},
	},
	// Cluster-wide default PSP
	bind_clusterwide: $.pspBind($.psp_mayroot, [
	kube.Group("system:authenticated"),
	kube.Group("system:serviceaccounts"),
	], null),
	// kube-system uses psp_privileged
	bind_kube_system_privileged: $.pspBind($.psp_privileged, [
	kube.Group("system:masters"),
	kube.Group("system:serviceaccounts:kube-system"),
	kube.Group("system:nodes"),
	// Legacy node ID
	kube.User("kubelet"),
	], "kube-system"),
	// Example using wider policy on the default NS
	// bind_default_privileged: $.pspBind($.psp_privileged, [ kube.Group("system:serviceaccounts:default"), ], "default"),
	}
	# output from: kubecfg -J lib psp.jsonnet
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	annotations: {}
	labels:
	name: privileged
	name: privileged
	spec:
	allowPrivilegeEscalation: true
	allowedCapabilities:
	- '*'
	fsGroup:
	rule: RunAsAny
	hostIPC: true
	hostNetwork: true
	hostPID: true
	hostPorts:
	- max: 65535
	min: 1
	privileged: true
	runAsUser:
	rule: RunAsAny
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- '*'
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	annotations: {}
	labels:
	name: restrictive
	name: restrictive
	spec:
	allowPrivilegeEscalation: false
	allowedCapabilities: []
	forbiddenSysctls:
	- '*'
	fsGroup:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	hostIPC: false
	hostNetwork: false
	hostPID: false
	hostPorts: []
	privileged: false
	requiredDropCapabilities:
	- ALL
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	volumes:
	- configMap
	- secret
	- emptyDir
	- projected
	- downwardAPI
	- persistentVolumeClaim
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	annotations: {}
	labels:
	name: psp-mayroot
	name: psp:mayroot
	rules:
	- apiGroups:
	- policy
	resourceNames:
	- mayroot
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	annotations: {}
	labels:
	name: psp--mayroot
	name: psp::mayroot
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: psp:mayroot
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:authenticated
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	annotations: {}
	labels:
	name: psp-privileged
	name: psp:privileged
	rules:
	- apiGroups:
	- policy
	resourceNames:
	- privileged
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	annotations: {}
	labels:
	name: psp-kube-system-privileged
	name: psp:kube-system:privileged
	namespace: kube-system
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: psp:privileged
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:masters
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts:kube-system
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:nodes
	- apiGroup: rbac.authorization.k8s.io
	kind: User
	name: kubelet
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	annotations: {}
	labels:
	name: mayroot
	name: mayroot
	spec:
	allowPrivilegeEscalation: false
	allowedCapabilities:
	- '*'
	forbiddenSysctls:
	- '*'
	fsGroup:
	rule: RunAsAny
	hostIPC: false
	hostNetwork: false
	hostPID: false
	hostPorts: []
	privileged: false
	runAsUser:
	rule: RunAsAny
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- configMap
	- secret
	- emptyDir
	- projected
	- downwardAPI
	- persistentVolumeClaim
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	annotations: {}
	labels:
	name: nonroot
	name: nonroot
	spec:
	allowPrivilegeEscalation: false
	allowedCapabilities:
	- '*'
	forbiddenSysctls:
	- '*'
	fsGroup:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	hostIPC: false
	hostNetwork: false
	hostPID: false
	hostPorts: []
	privileged: false
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	volumes:
	- configMap
	- secret
	- emptyDir
	- projected
	- downwardAPI
	- persistentVolumeClaim