forked from sysdiglabs/kube-psp-advisor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
psp-grant.yaml
132 lines (132 loc) · 2.83 KB
/
psp-grant.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Pod security policies will NOT be created for service account 'default' in namespace 'psp-test' with following workdloads:
# Kind: ReplicationController, Name: busy-rc, Image: busybox
---
# Pod security policies will be created for service account 'sa-1' in namespace 'psp-test' with following workdloads:
# Kind: ReplicaSet, Name: busy-rs, Image: busybox
# Kind: Pod, Name: busy-pod, Image: busybox
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
creationTimestamp: null
name: psp-for-psp-test-sa-1
spec:
allowedCapabilities:
- SYS_ADMIN
allowedHostPaths:
- pathPrefix: /usr/bin
readOnly: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- secret
- hostPath
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: use-psp-by-psp-test:sa-1
namespace: psp-test
rules:
- apiGroups:
- policy
resourceNames:
- psp-for-psp-test-sa-1
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: use-psp-by-psp-test:sa-1-binding
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-psp-by-psp-test:sa-1
subjects:
- kind: ServiceAccount
name: sa-1
namespace: psp-test
---
# Pod security policies will be created for service account 'sa-2' in namespace 'psp-test' with following workdloads:
# Kind: DaemonSet, Name: busy-ds, Image: busybox
# Kind: Deployment, Name: busy-deploy, Image: busybox
# Kind: Job, Name: busy-job, Image: busybox
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
creationTimestamp: null
name: psp-for-psp-test-sa-2
spec:
allowedCapabilities:
- SYS_ADMIN
- NET_ADMIN
allowedHostPaths:
- pathPrefix: /bin
readOnly: true
- pathPrefix: /tmp
readOnly: true
- pathPrefix: /usr/bin
readOnly: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostPID: true
runAsUser:
ranges:
- max: 10001
min: 10001
rule: MustRunAs
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- hostPath
- secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: use-psp-by-psp-test:sa-2
namespace: psp-test
rules:
- apiGroups:
- policy
resourceNames:
- psp-for-psp-test-sa-2
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: use-psp-by-psp-test:sa-2-binding
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-psp-by-psp-test:sa-2
subjects:
- kind: ServiceAccount
name: sa-2
namespace: psp-test
---