-
Notifications
You must be signed in to change notification settings - Fork 480
/
podsecurity-enforce.yaml
70 lines (70 loc) · 1.59 KB
/
podsecurity-enforce.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/bindings.yaml
# restricted-psp-user grants access to use the restricted PSP.
# https://cheatsheet.dennyzhang.com/kubernetes-yaml-templates
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: restricted-psp-user
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- restricted
verbs:
- use
---
# https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/policies.yaml
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'emptyDir'
- 'secret'
- 'downwardAPI'
- 'configMap'
- 'persistentVolumeClaim'
- 'projected'
hostPID: false
hostIPC: false
hostNetwork: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-psp-users
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: restricted-psp-users
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: restricted-psp-user
---
# edit grants edit role to the groups
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: edit
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: restricted-psp-users
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit