Restricted PodSecurityPolicy
| apiVersion: extensions/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: restricted | |
| annotations: | |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
| spec: | |
| privileged: false | |
| # Required to prevent escalations to root. | |
| allowPrivilegeEscalation: false | |
| # This is redundant with non-root + disallow privilege escalation, | |
| # but we can provide it for defense in depth. | |
| requiredDropCapabilities: | |
| - ALL | |
| # Allow core volume types. | |
| volumes: | |
| - 'configMap' | |
| - 'emptyDir' | |
| - 'projected' | |
| - 'secret' | |
| - 'downwardAPI' | |
| # Assume that persistentVolumes set up by the cluster admin are safe to use. | |
| - 'persistentVolumeClaim' | |
| hostNetwork: false | |
| hostIPC: false | |
| hostPID: false | |
| runAsUser: | |
| # Require the container to run without root privileges. | |
| rule: 'MustRunAsNonRoot' | |
| seLinux: | |
| # This policy assumes the nodes are using AppArmor rather than SELinux. | |
| rule: 'RunAsAny' | |
| supplementalGroups: | |
| rule: 'MustRunAs' | |
| ranges: | |
| # Forbid adding the root group. | |
| - min: 1 | |
| max: 65535 | |
| fsGroup: | |
| rule: 'MustRunAs' | |
| ranges: | |
| # Forbid adding the root group. | |
| - min: 1 | |
| max: 65535 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment