Skip to content

Instantly share code, notes, and snippets.

@schfkt

schfkt/restricted-psp.yaml

Forked from tallclair/restricted-psp.yaml
Created August 3, 2018 17:16
Show Gist options
  • Save schfkt/2a221897c1cc3e6f11ca485f20b51fe2 to your computer and use it in GitHub Desktop.
Save schfkt/2a221897c1cc3e6f11ca485f20b51fe2 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @tallclair tallclair revised this gist Nov 21, 2017. 1 changed file with 5 additions and 1 deletion.
    6 changes: 5 additions & 1 deletion restricted-psp.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -40,4 +40,8 @@ spec:
    - min: 1
    max: 65535
    fsGroup:
    rule: 'RunAsAny'
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
    max: 65535
  2. @tallclair tallclair revised this gist Nov 21, 2017. 1 changed file with 16 additions and 25 deletions.
    41 changes: 16 additions & 25 deletions restricted-psp.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,52 +1,43 @@
    apiVersion: extensions/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: restricted-v1
    name: restricted
    annotations:
    kubernetes.io/description: 'This policy demonstrates best practices for
    running Pods with minimal security privileges.'
    # To use custom seccomp or apparmor profiles, make a copy of this policy and
    # add the custom profiles here.
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
    labels:
    kubernetes.io/cluster-service: 'true'
    addonmanager.kubernetes.io/mode: Reconcile
    spec:
    privileged: false
    # Required to prevent escalations to root.
    allowPrivilegeEscalation: false
    # Drop capabilities that are used for manipulating user IDs (most containers
    # only need a single user), and capabilities that are seldom used.
    # This is redundant with non-root + disallow privilege escalation,
    # but we can provide it for defense in depth.
    requiredDropCapabilities:
    - AUDIT_WRITE
    - CHOWN
    - DAC_OVERRIDE
    - FOWNER
    - FSETID
    - KILL
    - MKNOD
    - NET_RAW
    - SETGID
    - SETUID
    - SYS_CHROOT
    - ALL
    # Allow core volume types.
    volumes:
    - 'configMap'
    - 'emptyDir'
    - 'persistentVolumeClaim'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    # Assume that persistentVolumes set up by the cluster admin are safe to use.
    - 'persistentVolumeClaim'
    hostNetwork: false
    hostIPC: false
    hostPID: false
    runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
    seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
    supplementalGroups:
    rule: 'RunAsAny'
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
    max: 65535
    fsGroup:
    rule: 'RunAsAny'
    readOnlyRootFilesystem: false
    rule: 'RunAsAny'
  3. @tallclair tallclair revised this gist Nov 16, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions restricted-psp.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -37,6 +37,7 @@ spec:
    - 'persistentVolumeClaim'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    hostNetwork: false
    hostIPC: false
    hostPID: false
  4. @tallclair tallclair created this gist Nov 3, 2017.
    51 changes: 51 additions & 0 deletions restricted-psp.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,51 @@
    apiVersion: extensions/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: restricted-v1
    annotations:
    kubernetes.io/description: 'This policy demonstrates best practices for
    running Pods with minimal security privileges.'
    # To use custom seccomp or apparmor profiles, make a copy of this policy and
    # add the custom profiles here.
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
    labels:
    kubernetes.io/cluster-service: 'true'
    addonmanager.kubernetes.io/mode: Reconcile
    spec:
    privileged: false
    allowPrivilegeEscalation: false
    # Drop capabilities that are used for manipulating user IDs (most containers
    # only need a single user), and capabilities that are seldom used.
    requiredDropCapabilities:
    - AUDIT_WRITE
    - CHOWN
    - DAC_OVERRIDE
    - FOWNER
    - FSETID
    - KILL
    - MKNOD
    - NET_RAW
    - SETGID
    - SETUID
    - SYS_CHROOT
    volumes:
    - 'configMap'
    - 'emptyDir'
    - 'persistentVolumeClaim'
    - 'projected'
    - 'secret'
    hostNetwork: false
    hostIPC: false
    hostPID: false
    runAsUser:
    rule: 'MustRunAsNonRoot'
    seLinux:
    rule: 'RunAsAny'
    supplementalGroups:
    rule: 'RunAsAny'
    fsGroup:
    rule: 'RunAsAny'
    readOnlyRootFilesystem: false