Blame - kube/policies.libsonnet - hscloud

blob: 18b5c27482543d28f51b728fdd620c5fc6f86a53 [file] [log] [blame]

Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	1	local kube = import "kube.libsonnet";
				2
				3	{
				4	local policies = self,
				5
				6	policyNameAllowInsecure: "policy:allow-insecure",
				7	policyNameAllowSecure: "policy:allow-secure",
				8
				9	Cluster: {
				10	insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
				11	spec: {
				12	privileged: true,
				13	allowPrivilegeEscalation: true,
				14	allowedCapabilities: ['*'],
				15	volumes: ['*'],
				16	hostNetwork: true,
Serge Bazanski	c33ebcc	2019-11-01 18:43:45 +0100	[diff] [blame]	17	hostPorts: [
				18	{ max: 40000, min: 1 },
				19	],
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	20	hostIPC: true,
				21	hostPID: true,
				22	runAsUser: {
				23	rule: 'RunAsAny',
				24	},
				25	seLinux: {
				26	rule: 'RunAsAny',
				27	},
				28	supplementalGroups: {
				29	rule: 'RunAsAny',
				30	},
				31	fsGroup: {
				32	rule: 'RunAsAny',
				33	},
				34	},
				35	},
				36	insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
				37	rules: [
				38	{
				39	apiGroups: ['policy'],
				40	resources: ['podsecuritypolicies'],
				41	verbs: ['use'],
				42	resourceNames: ['insecure'],
				43	}
				44	],
				45	},
				46	secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
				47	spec: {
				48	privileged: false,
				49	# Required to prevent escalations to root.
				50	allowPrivilegeEscalation: false,
				51	# This is redundant with non-root + disallow privilege escalation,
				52	# but we can provide it for defense in depth.
				53	requiredDropCapabilities: ["ALL"],
				54	# Allow core volume types.
				55	volumes: [
				56	'configMap',
				57	'emptyDir',
				58	'projected',
				59	'secret',
				60	'downwardAPI',
				61	'persistentVolumeClaim',
				62	],
				63	hostNetwork: false,
				64	hostIPC: false,
				65	hostPID: false,
				66	runAsUser: {
				67	# Allow to run as root - docker, we trust you here.
				68	rule: 'RunAsAny',
				69	},
				70	seLinux: {
				71	rule: 'RunAsAny',
				72	},
				73	supplementalGroups: {
				74	rule: 'MustRunAs',
				75	ranges: [
				76	{
				77	# Forbid adding the root group.
				78	min: 1,
				79	max: 65535,
				80	}
				81	],
				82	},
				83	fsGroup: {
				84	rule: 'MustRunAs',
				85	ranges: [
				86	{
				87	# Forbid adding the root group.
				88	min: 1,
				89	max: 65535,
				90	}
				91	],
				92	},
				93	readOnlyRootFilesystem: false,
				94	},
				95	},
				96	secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
				97	rules: [
				98	{
				99	apiGroups: ['policy'],
				100	resources: ['podsecuritypolicies'],
				101	verbs: ['use'],
				102	resourceNames: ['secure'],
				103	},
				104	],
				105	},
				106	},
				107
				108	# Allow insecure access to all service accounts in a given namespace.
				109	AllowNamespaceInsecure(namespace): {
				110	rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
				111	metadata+: {
				112	namespace: namespace,
				113	},
				114	roleRef_: policies.Cluster.insecureRole,
				115	subjects: [
				116	{
				117	kind: "Group",
				118	apiGroup: "rbac.authorization.k8s.io",
				119	name: "system:serviceaccounts",
				120	}
				121	],
				122	},
				123	},
				124	}