Skip to content

Instantly share code, notes, and snippets.

@schfkt

schfkt/restricted-psp.yaml

Forked from tallclair/restricted-psp.yaml
Created August 3, 2018 17:16
Show Gist options
  • Save schfkt/2a221897c1cc3e6f11ca485f20b51fe2 to your computer and use it in GitHub Desktop.
Save schfkt/2a221897c1cc3e6f11ca485f20b51fe2 to your computer and use it in GitHub Desktop.
Download ZIP
Restricted PodSecurityPolicy
Raw
restricted-psp.yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-v1
annotations:
kubernetes.io/description: 'This policy demonstrates best practices for
running Pods with minimal security privileges.'
# To use custom seccomp or apparmor profiles, make a copy of this policy and
# add the custom profiles here.
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
labels:
kubernetes.io/cluster-service: 'true'
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
# Drop capabilities that are used for manipulating user IDs (most containers
# only need a single user), and capabilities that are seldom used.
requiredDropCapabilities:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_RAW
- SETGID
- SETUID
- SYS_CHROOT
volumes:
- 'configMap'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment