| local kube = import "kube.libsonnet"; |
| |
| { |
| local policies = self, |
| |
| policyNameAllowInsecure: "policy:allow-insecure", |
| policyNameAllowSecure: "policy:allow-secure", |
| policyNameAllowMostlySecure: "policy:allow-mostlysecure", |
| |
| Cluster: { |
| local cluster = self, |
| |
| // Insecure: allowing creation of these pods allows you to pwn the entire cluster. |
| insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") { |
| spec: { |
| privileged: true, |
| allowPrivilegeEscalation: true, |
| allowedCapabilities: ['*'], |
| volumes: ['*'], |
| hostNetwork: true, |
| hostPorts: [ |
| { max: 40000, min: 1 }, |
| ], |
| hostIPC: true, |
| hostPID: true, |
| runAsUser: { |
| rule: 'RunAsAny', |
| }, |
| seLinux: { |
| rule: 'RunAsAny', |
| }, |
| supplementalGroups: { |
| rule: 'RunAsAny', |
| }, |
| fsGroup: { |
| rule: 'RunAsAny', |
| }, |
| }, |
| }, |
| insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) { |
| rules: [ |
| { |
| apiGroups: ['policy'], |
| resources: ['podsecuritypolicies'], |
| verbs: ['use'], |
| resourceNames: ['insecure'], |
| } |
| ], |
| }, |
| |
| // Secure: very limited subset of security policy, everyone is allowed |
| // to spawn containers of this kind. |
| secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") { |
| spec: { |
| privileged: false, |
| # Required to prevent escalations to root. |
| allowPrivilegeEscalation: false, |
| # This is redundant with non-root + disallow privilege escalation, |
| # but we can provide it for defense in depth. |
| requiredDropCapabilities: ["ALL"], |
| # Allow core volume types. |
| volumes: [ |
| 'configMap', |
| 'emptyDir', |
| 'projected', |
| 'secret', |
| 'downwardAPI', |
| 'persistentVolumeClaim', |
| ], |
| hostNetwork: false, |
| hostIPC: false, |
| hostPID: false, |
| runAsUser: { |
| # Allow to run as root - docker, we trust you here. |
| rule: 'RunAsAny', |
| }, |
| seLinux: { |
| rule: 'RunAsAny', |
| }, |
| supplementalGroups: { |
| rule: 'MustRunAs', |
| ranges: [ |
| { |
| # Forbid adding the root group. |
| min: 1, |
| max: 65535, |
| } |
| ], |
| }, |
| fsGroup: { |
| rule: 'MustRunAs', |
| ranges: [ |
| { |
| # Forbid adding the root group. |
| min: 1, |
| max: 65535, |
| } |
| ], |
| }, |
| readOnlyRootFilesystem: false, |
| }, |
| }, |
| secureRole: kube.ClusterRole(policies.policyNameAllowSecure) { |
| rules: [ |
| { |
| apiGroups: ['policy'], |
| resources: ['podsecuritypolicies'], |
| verbs: ['use'], |
| resourceNames: ['secure'], |
| }, |
| ], |
| }, |
| |
| // MostlySecure: like secure, but allows for setuid inside containers. |
| mostlySecure: cluster.secure { |
| metadata+: { |
| name: "mostlysecure", |
| }, |
| spec+: { |
| allowPrivilegeEscalation: true, |
| }, |
| }, |
| mostlySecureRole: kube.ClusterRole(policies.policyNameAllowMostlySecure) { |
| rules: [ |
| { |
| apiGroups: ['policy'], |
| resources: ['podsecuritypolicies'], |
| verbs: ['use'], |
| resourceNames: ['mostlysecure'], |
| }, |
| ], |
| }, |
| }, |
| |
| # Allow insecure access to all service accounts in a given namespace. |
| AllowNamespaceInsecure(namespace): { |
| rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) { |
| metadata+: { |
| namespace: namespace, |
| }, |
| roleRef_: policies.Cluster.insecureRole, |
| subjects: [ |
| { |
| kind: "Group", |
| apiGroup: "rbac.authorization.k8s.io", |
| name: "system:serviceaccounts", |
| } |
| ], |
| }, |
| }, |
| |
| # Allow mostlysecure access to all service accounts in a given namespace. |
| AllowNamespaceMostlySecure(namespace): { |
| rb: kube.RoleBinding("policy:allow-mostlysecure-in-" + namespace) { |
| metadata+: { |
| namespace: namespace, |
| }, |
| roleRef_: policies.Cluster.mostlySecureRole, |
| subjects: [ |
| { |
| kind: "Group", |
| apiGroup: "rbac.authorization.k8s.io", |
| name: "system:serviceaccounts", |
| } |
| ], |
| }, |
| }, |
| } |