Blame - kube/policies.libsonnet - hscloud

blob: e8e7aed2002d955ff4ff51b723ca92b2183f91b5 [file] [log] [blame]

Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	1	local kube = import "kube.libsonnet";
				2
				3	{
				4	local policies = self,
				5
				6	policyNameAllowInsecure: "policy:allow-insecure",
				7	policyNameAllowSecure: "policy:allow-secure",
				8
				9	Cluster: {
				10	insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
				11	spec: {
				12	privileged: true,
				13	allowPrivilegeEscalation: true,
				14	allowedCapabilities: ['*'],
				15	volumes: ['*'],
				16	hostNetwork: true,
				17	hostIPC: true,
				18	hostPID: true,
				19	runAsUser: {
				20	rule: 'RunAsAny',
				21	},
				22	seLinux: {
				23	rule: 'RunAsAny',
				24	},
				25	supplementalGroups: {
				26	rule: 'RunAsAny',
				27	},
				28	fsGroup: {
				29	rule: 'RunAsAny',
				30	},
				31	},
				32	},
				33	insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
				34	rules: [
				35	{
				36	apiGroups: ['policy'],
				37	resources: ['podsecuritypolicies'],
				38	verbs: ['use'],
				39	resourceNames: ['insecure'],
				40	}
				41	],
				42	},
				43	secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
				44	spec: {
				45	privileged: false,
				46	# Required to prevent escalations to root.
				47	allowPrivilegeEscalation: false,
				48	# This is redundant with non-root + disallow privilege escalation,
				49	# but we can provide it for defense in depth.
				50	requiredDropCapabilities: ["ALL"],
				51	# Allow core volume types.
				52	volumes: [
				53	'configMap',
				54	'emptyDir',
				55	'projected',
				56	'secret',
				57	'downwardAPI',
				58	'persistentVolumeClaim',
				59	],
				60	hostNetwork: false,
				61	hostIPC: false,
				62	hostPID: false,
				63	runAsUser: {
				64	# Allow to run as root - docker, we trust you here.
				65	rule: 'RunAsAny',
				66	},
				67	seLinux: {
				68	rule: 'RunAsAny',
				69	},
				70	supplementalGroups: {
				71	rule: 'MustRunAs',
				72	ranges: [
				73	{
				74	# Forbid adding the root group.
				75	min: 1,
				76	max: 65535,
				77	}
				78	],
				79	},
				80	fsGroup: {
				81	rule: 'MustRunAs',
				82	ranges: [
				83	{
				84	# Forbid adding the root group.
				85	min: 1,
				86	max: 65535,
				87	}
				88	],
				89	},
				90	readOnlyRootFilesystem: false,
				91	},
				92	},
				93	secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
				94	rules: [
				95	{
				96	apiGroups: ['policy'],
				97	resources: ['podsecuritypolicies'],
				98	verbs: ['use'],
				99	resourceNames: ['secure'],
				100	},
				101	],
				102	},
				103	},
				104
				105	# Allow insecure access to all service accounts in a given namespace.
				106	AllowNamespaceInsecure(namespace): {
				107	rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
				108	metadata+: {
				109	namespace: namespace,
				110	},
				111	roleRef_: policies.Cluster.insecureRole,
				112	subjects: [
				113	{
				114	kind: "Group",
				115	apiGroup: "rbac.authorization.k8s.io",
				116	name: "system:serviceaccounts",
				117	}
				118	],
				119	},
				120	},
				121	}