From 72164177dc1322d1b3fe55568cd64aa6494eb352 Mon Sep 17 00:00:00 2001 From: kolja-lucht <6205839+kolja-lucht@users.noreply.github.com> Date: Tue, 9 May 2023 19:25:31 +0200 Subject: [PATCH] Remove PodSecurityPolicy examples (#59) Co-authored-by: Kolja Lucht --- PodSecurityPolicy/Ingress/simple.yaml | 19 ------ PodSecurityPolicy/pod-security-policy.yaml | 65 ------------------- PodSecurityPolicy/restricted.yaml | 53 --------------- .../spec.privileged/privileged.yaml | 31 --------- 4 files changed, 168 deletions(-) delete mode 100644 PodSecurityPolicy/Ingress/simple.yaml delete mode 100644 PodSecurityPolicy/pod-security-policy.yaml delete mode 100644 PodSecurityPolicy/restricted.yaml delete mode 100644 PodSecurityPolicy/spec.privileged/privileged.yaml diff --git a/PodSecurityPolicy/Ingress/simple.yaml b/PodSecurityPolicy/Ingress/simple.yaml deleted file mode 100644 index 723ebb7..0000000 --- a/PodSecurityPolicy/Ingress/simple.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Requires an appropriate ingress controller to exist on the cluster for this to take effect ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: simple - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 diff --git a/PodSecurityPolicy/pod-security-policy.yaml b/PodSecurityPolicy/pod-security-policy.yaml deleted file mode 100644 index 6d4b032..0000000 --- a/PodSecurityPolicy/pod-security-policy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pod-security-policy-psp-namespace ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: pod-security-policy-psp -spec: - privileged: false # Don't allow privileged pods! - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pod-security-policy-user - namespace: pod-security-policy-psp-namespace ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: pod-security-policy-psp-user-editor - namespace: pod-security-policy-psp-namespace -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: edit -subjects: - - kind: ServiceAccount - name: pod-security-policy-psp-namespace - namespace: pod-security-policy-psp-namespace ---- -apiVersion: v1 -kind: Pod -metadata: - name: pause - namespace: pod-security-policy-psp-namespace-unprivileged -spec: - containers: - - name: pause - image: k8s.gcr.io/pause ---- -apiVersion: v1 -kind: Pod -metadata: - name: pause - namespace: pod-security-policy-psp-namespace-privileged -spec: - containers: - - name: pause - image: k8s.gcr.io/pause - securityContext: - privileged: true diff --git a/PodSecurityPolicy/restricted.yaml b/PodSecurityPolicy/restricted.yaml deleted file mode 100644 index 60d75ea..0000000 --- a/PodSecurityPolicy/restricted.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# This is an example of a restrictive policy that requires users to run as an -# unprivileged user, blocks possible escalations to root, and requires use of -# several security mechanisms. -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: pod-security-policy-restricted-psp - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' -spec: - allowPrivilegeEscalation: false - # This is redundant with non-root + disallow privilege escalation, - # but we can provide it for defense in depth. - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - hostIPC: false - hostNetwork: false - hostPID: false - privileged: false - readOnlyRootFilesystem: false - # Required to prevent escalations to root. - requiredDropCapabilities: - - ALL - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use. - - 'persistentVolumeClaim' - - 'csi' - - 'ephemeral' diff --git a/PodSecurityPolicy/spec.privileged/privileged.yaml b/PodSecurityPolicy/spec.privileged/privileged.yaml deleted file mode 100644 index 1b55503..0000000 --- a/PodSecurityPolicy/spec.privileged/privileged.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# This is the least restrictive policy you can create, equivalent to not using -# the pod security policy admission controller -# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: pod-security-policy-privileged-psp - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny'