PodSecurityPolicy to Prevent hostPath Mount
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: developers-psp | |
spec: | |
privileged: false | |
allowPrivilegeEscalation: false | |
hostNetwork: false | |
hostPID: false | |
hostIPC: false | |
seLinux: { 'rule': 'RunAsAny' } | |
runAsUser: { 'rule': 'RunAsAny' } | |
fsGroup: { 'rule': 'RunAsAny' } | |
supplementalGroups: { 'rule': 'RunAsAny' } | |
volumes: | |
- 'emptyDir' | |
- 'configMap' | |
- 'secret' | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: developers-psp-role | |
rules: | |
- apiGroups: ['policy'] | |
resources: ['podsecuritypolicies'] | |
verbs: ['use'] | |
resourceNames: | |
- developers-psp | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: developers-sa-psp-binding | |
roleRef: | |
kind: ClusterRole | |
name: developers-psp-role | |
apiGroup: rbac.authorization.k8s.io | |
subjects: | |
- kind: ServiceAccount | |
name: developer-sa | |
namespace: developers | |
- kind: ServiceAccount | |
name: default | |
namespace: developers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment