kube/policies: implement mostlysecure
Change-Id: I0f5dc29f9fc3ad534ddda766a79bb18e64757a6c
diff --git a/kube/policies.libsonnet b/kube/policies.libsonnet
index 18b5c27..242c00c 100644
--- a/kube/policies.libsonnet
+++ b/kube/policies.libsonnet
@@ -5,8 +5,12 @@
policyNameAllowInsecure: "policy:allow-insecure",
policyNameAllowSecure: "policy:allow-secure",
+ policyNameAllowMostlySecure: "policy:allow-mostlysecure",
Cluster: {
+ local cluster = self,
+
+ // Insecure: allowing creation of these pods allows you to pwn the entire cluster.
insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
spec: {
privileged: true,
@@ -43,6 +47,9 @@
}
],
},
+
+ // Secure: very limited subset of security policy, everyone is allowed
+ // to spawn containers of this kind.
secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
spec: {
privileged: false,
@@ -103,6 +110,26 @@
},
],
},
+
+ // MostlySecure: like secure, but allows for setuid inside containers.
+ mostlySecure: cluster.secure {
+ metadata+: {
+ name: "mostlysecure",
+ },
+ spec+: {
+ allowPrivilegeEscalation: true,
+ },
+ },
+ mostlySecureRole: kube.ClusterRole(policies.policyNameAllowMostlySecure) {
+ rules: [
+ {
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: ['mostlysecure'],
+ },
+ ],
+ },
},
# Allow insecure access to all service accounts in a given namespace.
@@ -121,4 +148,21 @@
],
},
},
+
+ # Allow mostlysecure access to all service accounts in a given namespace.
+ AllowNamespaceMostlySecure(namespace): {
+ rb: kube.RoleBinding("policy:allow-mostlysecure-in-" + namespace) {
+ metadata+: {
+ namespace: namespace,
+ },
+ roleRef_: policies.Cluster.mostlySecureRole,
+ subjects: [
+ {
+ kind: "Group",
+ apiGroup: "rbac.authorization.k8s.io",
+ name: "system:serviceaccounts",
+ }
+ ],
+ },
+ },
}