Restricted PodSecurityPolicy
apiVersion: extensions/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: restricted | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
spec: | |
privileged: false | |
# Required to prevent escalations to root. | |
allowPrivilegeEscalation: false | |
# This is redundant with non-root + disallow privilege escalation, | |
# but we can provide it for defense in depth. | |
requiredDropCapabilities: | |
- ALL | |
# Allow core volume types. | |
volumes: | |
- 'configMap' | |
- 'emptyDir' | |
- 'projected' | |
- 'secret' | |
- 'downwardAPI' | |
# Assume that persistentVolumes set up by the cluster admin are safe to use. | |
- 'persistentVolumeClaim' | |
hostNetwork: false | |
hostIPC: false | |
hostPID: false | |
runAsUser: | |
# Require the container to run without root privileges. | |
rule: 'MustRunAsNonRoot' | |
seLinux: | |
# This policy assumes the nodes are using AppArmor rather than SELinux. | |
rule: 'RunAsAny' | |
supplementalGroups: | |
rule: 'MustRunAs' | |
ranges: | |
# Forbid adding the root group. | |
- min: 1 | |
max: 65535 | |
fsGroup: | |
rule: 'MustRunAs' | |
ranges: | |
# Forbid adding the root group. | |
- min: 1 | |
max: 65535 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment