Blame - kube/policies.libsonnet - hscloud

blob: 242c00c43225165ee226f500bee22c08d574bc2e [file] [log] [blame]

Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	1	local kube = import "kube.libsonnet";
				2
				3	{
				4	local policies = self,
				5
				6	policyNameAllowInsecure: "policy:allow-insecure",
				7	policyNameAllowSecure: "policy:allow-secure",
Sergiusz Bazanski	e3432ee	2020-05-11 20:16:44 +0200	[diff] [blame^]	8	policyNameAllowMostlySecure: "policy:allow-mostlysecure",
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	9
				10	Cluster: {
Sergiusz Bazanski	e3432ee	2020-05-11 20:16:44 +0200	[diff] [blame^]	11	local cluster = self,
				12
				13	// Insecure: allowing creation of these pods allows you to pwn the entire cluster.
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	14	insecure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "insecure") {
				15	spec: {
				16	privileged: true,
				17	allowPrivilegeEscalation: true,
				18	allowedCapabilities: ['*'],
				19	volumes: ['*'],
				20	hostNetwork: true,
Serge Bazanski	c33ebcc	2019-11-01 18:43:45 +0100	[diff] [blame]	21	hostPorts: [
				22	{ max: 40000, min: 1 },
				23	],
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	24	hostIPC: true,
				25	hostPID: true,
				26	runAsUser: {
				27	rule: 'RunAsAny',
				28	},
				29	seLinux: {
				30	rule: 'RunAsAny',
				31	},
				32	supplementalGroups: {
				33	rule: 'RunAsAny',
				34	},
				35	fsGroup: {
				36	rule: 'RunAsAny',
				37	},
				38	},
				39	},
				40	insecureRole: kube.ClusterRole(policies.policyNameAllowInsecure) {
				41	rules: [
				42	{
				43	apiGroups: ['policy'],
				44	resources: ['podsecuritypolicies'],
				45	verbs: ['use'],
				46	resourceNames: ['insecure'],
				47	}
				48	],
				49	},
Sergiusz Bazanski	e3432ee	2020-05-11 20:16:44 +0200	[diff] [blame^]	50
				51	// Secure: very limited subset of security policy, everyone is allowed
				52	// to spawn containers of this kind.
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	53	secure: kube._Object("policy/v1beta1", "PodSecurityPolicy", "secure") {
				54	spec: {
				55	privileged: false,
				56	# Required to prevent escalations to root.
				57	allowPrivilegeEscalation: false,
				58	# This is redundant with non-root + disallow privilege escalation,
				59	# but we can provide it for defense in depth.
				60	requiredDropCapabilities: ["ALL"],
				61	# Allow core volume types.
				62	volumes: [
				63	'configMap',
				64	'emptyDir',
				65	'projected',
				66	'secret',
				67	'downwardAPI',
				68	'persistentVolumeClaim',
				69	],
				70	hostNetwork: false,
				71	hostIPC: false,
				72	hostPID: false,
				73	runAsUser: {
				74	# Allow to run as root - docker, we trust you here.
				75	rule: 'RunAsAny',
				76	},
				77	seLinux: {
				78	rule: 'RunAsAny',
				79	},
				80	supplementalGroups: {
				81	rule: 'MustRunAs',
				82	ranges: [
				83	{
				84	# Forbid adding the root group.
				85	min: 1,
				86	max: 65535,
				87	}
				88	],
				89	},
				90	fsGroup: {
				91	rule: 'MustRunAs',
				92	ranges: [
				93	{
				94	# Forbid adding the root group.
				95	min: 1,
				96	max: 65535,
				97	}
				98	],
				99	},
				100	readOnlyRootFilesystem: false,
				101	},
				102	},
				103	secureRole: kube.ClusterRole(policies.policyNameAllowSecure) {
				104	rules: [
				105	{
				106	apiGroups: ['policy'],
				107	resources: ['podsecuritypolicies'],
				108	verbs: ['use'],
				109	resourceNames: ['secure'],
				110	},
				111	],
				112	},
Sergiusz Bazanski	e3432ee	2020-05-11 20:16:44 +0200	[diff] [blame^]	113
				114	// MostlySecure: like secure, but allows for setuid inside containers.
				115	mostlySecure: cluster.secure {
				116	metadata+: {
				117	name: "mostlysecure",
				118	},
				119	spec+: {
				120	allowPrivilegeEscalation: true,
				121	},
				122	},
				123	mostlySecureRole: kube.ClusterRole(policies.policyNameAllowMostlySecure) {
				124	rules: [
				125	{
				126	apiGroups: ['policy'],
				127	resources: ['podsecuritypolicies'],
				128	verbs: ['use'],
				129	resourceNames: ['mostlysecure'],
				130	},
				131	],
				132	},
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	133	},
				134
				135	# Allow insecure access to all service accounts in a given namespace.
				136	AllowNamespaceInsecure(namespace): {
				137	rb: kube.RoleBinding("policy:allow-insecure-in-" + namespace) {
				138	metadata+: {
				139	namespace: namespace,
				140	},
				141	roleRef_: policies.Cluster.insecureRole,
				142	subjects: [
				143	{
				144	kind: "Group",
				145	apiGroup: "rbac.authorization.k8s.io",
				146	name: "system:serviceaccounts",
				147	}
				148	],
				149	},
				150	},
Sergiusz Bazanski	e3432ee	2020-05-11 20:16:44 +0200	[diff] [blame^]	151
				152	# Allow mostlysecure access to all service accounts in a given namespace.
				153	AllowNamespaceMostlySecure(namespace): {
				154	rb: kube.RoleBinding("policy:allow-mostlysecure-in-" + namespace) {
				155	metadata+: {
				156	namespace: namespace,
				157	},
				158	roleRef_: policies.Cluster.mostlySecureRole,
				159	subjects: [
				160	{
				161	kind: "Group",
				162	apiGroup: "rbac.authorization.k8s.io",
				163	name: "system:serviceaccounts",
				164	}
				165	],
				166	},
				167	},
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	168	}