mikaelkall/psp.yml

## psp.yml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: developers-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  hostNetwork: false
  hostPID: false
  hostIPC: false
  seLinux: { 'rule': 'RunAsAny' }
  runAsUser: { 'rule': 'RunAsAny' }
  fsGroup: { 'rule': 'RunAsAny' }
  supplementalGroups: { 'rule': 'RunAsAny' }
  volumes:
  - 'emptyDir'
  - 'configMap'
  - 'secret'

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developers-psp-role
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - developers-psp

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: developers-sa-psp-binding
roleRef:
  kind: ClusterRole
  name: developers-psp-role
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: developer-sa
  namespace: developers
- kind: ServiceAccount
  name: default
  namespace: developers
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: developers-psp
	spec:
	privileged: false
	allowPrivilegeEscalation: false
	hostNetwork: false
	hostPID: false
	hostIPC: false
	seLinux: { 'rule': 'RunAsAny' }
	runAsUser: { 'rule': 'RunAsAny' }
	fsGroup: { 'rule': 'RunAsAny' }
	supplementalGroups: { 'rule': 'RunAsAny' }
	volumes:
	- 'emptyDir'
	- 'configMap'
	- 'secret'

	---

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: developers-psp-role
	rules:
	- apiGroups: ['policy']
	resources: ['podsecuritypolicies']
	verbs: ['use']
	resourceNames:
	- developers-psp

	---

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: developers-sa-psp-binding
	roleRef:
	kind: ClusterRole
	name: developers-psp-role
	apiGroup: rbac.authorization.k8s.io
	subjects:
	- kind: ServiceAccount
	name: developer-sa
	namespace: developers
	- kind: ServiceAccount
	name: default
	namespace: developers