Skip to content

Instantly share code, notes, and snippets.

@mikaelkall
Last active June 12, 2020 11:20
Show Gist options
  • Save mikaelkall/ef0cd3873a10f8fc8af138d03efc348a to your computer and use it in GitHub Desktop.
Save mikaelkall/ef0cd3873a10f8fc8af138d03efc348a to your computer and use it in GitHub Desktop.
PodSecurityPolicy to Prevent hostPath Mount
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: developers-psp
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostPID: false
hostIPC: false
seLinux: { 'rule': 'RunAsAny' }
runAsUser: { 'rule': 'RunAsAny' }
fsGroup: { 'rule': 'RunAsAny' }
supplementalGroups: { 'rule': 'RunAsAny' }
volumes:
- 'emptyDir'
- 'configMap'
- 'secret'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developers-psp-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- developers-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: developers-sa-psp-binding
roleRef:
kind: ClusterRole
name: developers-psp-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: developer-sa
namespace: developers
- kind: ServiceAccount
name: default
namespace: developers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment