Skip to content

Instantly share code, notes, and snippets.

@tallclair

tallclair/restricted-psp.yaml

Last active April 16, 2024 07:46
Show Gist options
  • Star 61 You must be signed in to star a gist
  • Fork 19 You must be signed in to fork a gist
  • Save tallclair/11981031b6bfa829bb1fb9dcb7e026b0 to your computer and use it in GitHub Desktop.
Save tallclair/11981031b6bfa829bb1fb9dcb7e026b0 to your computer and use it in GitHub Desktop.
Download ZIP
Restricted PodSecurityPolicy
Raw
restricted-psp.yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment