blob: 18b5c27482543d28f51b728fdd620c5fc6f86a53 [file] [log] [blame]
local kube = import "kube.libsonnet";
{
local policies = self,
policyNameAllowInsecure: "policy:allow-insecure",
policyNameAllowSecure: "policy:allow-secure",
Cluster: {
insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
spec: {
privileged: true,
allowPrivilegeEscalation: true,
allowedCapabilities: ['*'],
volumes: ['*'],
hostNetwork: true,
hostPorts: [
{ max: 40000, min: 1 },
],
hostIPC: true,
hostPID: true,
runAsUser: {
rule: 'RunAsAny',
},
seLinux: {
rule: 'RunAsAny',
},
supplementalGroups: {
rule: 'RunAsAny',
},
fsGroup: {
rule: 'RunAsAny',
},
},
},
insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
rules: [
{
apiGroups: ['policy'],
resources: ['podsecuritypolicies'],
verbs: ['use'],
resourceNames: ['insecure'],
}
],
},
secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
spec: {
privileged: false,
# Required to prevent escalations to root.
allowPrivilegeEscalation: false,
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities: ["ALL"],
# Allow core volume types.
volumes: [
'configMap',
'emptyDir',
'projected',
'secret',
'downwardAPI',
'persistentVolumeClaim',
],
hostNetwork: false,
hostIPC: false,
hostPID: false,
runAsUser: {
# Allow to run as root - docker, we trust you here.
rule: 'RunAsAny',
},
seLinux: {
rule: 'RunAsAny',
},
supplementalGroups: {
rule: 'MustRunAs',
ranges: [
{
# Forbid adding the root group.
min: 1,
max: 65535,
}
],
},
fsGroup: {
rule: 'MustRunAs',
ranges: [
{
# Forbid adding the root group.
min: 1,
max: 65535,
}
],
},
readOnlyRootFilesystem: false,
},
},
secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
rules: [
{
apiGroups: ['policy'],
resources: ['podsecuritypolicies'],
verbs: ['use'],
resourceNames: ['secure'],
},
],
},
},
# Allow insecure access to all service accounts in a given namespace.
AllowNamespaceInsecure(namespace): {
rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
metadata+: {
namespace: namespace,
},
roleRef_: policies.Cluster.insecureRole,
subjects: [
{
kind: "Group",
apiGroup: "rbac.authorization.k8s.io",
name: "system:serviceaccounts",
}
],
},
},
}