File tree Expand file tree Collapse file tree 10 files changed +245
-56
lines changed Expand file tree Collapse file tree 10 files changed +245
-56
lines changed Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ set -eu
4+
5+ kubectl delete -f ns.yaml || true
6+
7+ kubectl delete psp psp-privileged psp-restricted || true
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ export PATH=$PATH :../
4+
5+ set -eu
6+
7+ # create namespaces
8+ kubectl apply -f ns.yaml || true
9+
10+ # create service accounts
11+ kubectl apply -f sa.yaml || true
12+
13+ # create roles and rolebindings for service accounts to use pod security policies
14+ kubectl apply -f roles.yaml || true
15+
16+ # create pods
17+ kubectl apply -f pods.yaml || true
18+
19+ # generate psp and update the pod security policy name
20+ kube-psp-advisor --namespace privileged | sed -e ' s/pod-security.*/psp-privileged/g' | kubectl apply -f -
21+
22+ kube-psp-advisor --namespace restricted | sed -e ' s/pod-security.*/psp-restricted/g' | kubectl apply -f -
23+
24+ # test creating pods that pass the pod security policies
25+ kubectl apply -f pods-allow.yaml || true
26+
27+ kubectl get pods -n privileged
28+
29+ kubectl get pods -n restricted
30+
31+ # test creating pod that violate pod security policies
32+ kubectl apply -f pods-deny.yaml || true
33+
34+ kubectl get pods -n privileged
35+
36+ kubectl get pods -n restricted
37+
Original file line number Diff line number Diff line change 1+ apiVersion : v1
2+ kind : Namespace
3+ metadata :
4+ name : restricted
5+ ---
6+ apiVersion : v1
7+ kind : Namespace
8+ metadata :
9+ name : privileged
Original file line number Diff line number Diff line change 1+ apiVersion : v1
2+ kind : Pod
3+ metadata :
4+ name : privileged-busybox-0
5+ namespace : privileged
6+ spec :
7+ serviceAccountName : privileged-sa
8+ containers :
9+ - name : my-busybox-container
10+ image : busybox
11+ args : ["sleep", "3000"]
12+ securityContext :
13+ privileged : false
14+ runAsNonRoot : false
15+ readOnlyRootFilesystem : false
16+ allowPrivilegeEscalation : true
17+ hostPID : true
18+ hostIPC : false
19+ hostNetwork : true
20+ ---
21+ apiVersion : v1
22+ kind : Pod
23+ metadata :
24+ name : restricted-busybox-0
25+ namespace : restricted
26+ spec :
27+ serviceAccountName : restricted-sa
28+ containers :
29+ - name : my-busybox-container
30+ image : busybox
31+ args : ["sleep", "3000"]
32+ securityContext :
33+ privileged : false
34+ runAsNonRoot : false
35+ readOnlyRootFilesystem : false
36+ allowPrivilegeEscalation : false
37+ hostPID : false
38+ hostIPC : false
39+ hostNetwork : false
Original file line number Diff line number Diff line change 1+ apiVersion : v1
2+ kind : Pod
3+ metadata :
4+ name : restricted-busybox-1
5+ namespace : restricted
6+ spec :
7+ serviceAccountName : restricted-sa
8+ containers :
9+ - name : busybox-container-1
10+ image : busybox
11+ args : ["sleep", "3000"]
12+ securityContext :
13+ privileged : true # try to launch a privileged pod in restricted namespace
14+ runAsNonRoot : false
15+ readOnlyRootFilesystem : false
16+ allowPrivilegeEscalation : false
17+ capabilities :
18+ drop :
19+ - SYS_CHROOT
20+ hostPID : false
21+ hostIPC : false
22+ hostNetwork : false
23+ ---
24+ apiVersion : v1
25+ kind : Pod
26+ metadata :
27+ name : privileged-busybox-1
28+ namespace : privileged
29+ spec :
30+ serviceAccountName : restricted-sa # restricted-sa is trying to launch a privileged pod in privileged namespace
31+ containers :
32+ - name : busybox-container-1
33+ image : busybox
34+ args : ["sleep", "3000"]
35+ securityContext :
36+ privileged : true # try to launch a privileged pod in privileged namespace
37+ runAsNonRoot : false
38+ readOnlyRootFilesystem : false
39+ allowPrivilegeEscalation : false
40+ capabilities :
41+ drop :
42+ - SYS_CHROOT
43+ hostPID : false
44+ hostIPC : false
45+ hostNetwork : false
Original file line number Diff line number Diff line change 1+ apiVersion : v1
2+ kind : Pod
3+ metadata :
4+ name : privileged-busybox-base
5+ namespace : privileged
6+ spec :
7+ serviceAccountName : privileged-sa
8+ containers :
9+ - name : my-busybox-container
10+ image : busybox
11+ args : ["sleep", "3000"]
12+ securityContext :
13+ capabilities :
14+ add :
15+ - SYS_ADMIN
16+ drop :
17+ - SYS_CHROOT
18+ privileged : true
19+ runAsNonRoot : false
20+ readOnlyRootFilesystem : false
21+ allowPrivilegeEscalation : true
22+ hostPID : true
23+ hostIPC : true
24+ hostNetwork : true
25+ ---
26+ apiVersion : v1
27+ kind : Pod
28+ metadata :
29+ name : restricted-busybox-base
30+ namespace : restricted
31+ spec :
32+ serviceAccountName : restricted-sa
33+ containers :
34+ - name : my-busybox-container
35+ image : busybox
36+ args : ["sleep", "3000"]
37+ securityContext :
38+ capabilities :
39+ drop :
40+ - SYS_CHROOT
41+ privileged : false
42+ runAsNonRoot : false
43+ readOnlyRootFilesystem : false
44+ allowPrivilegeEscalation : false
45+ hostPID : false
46+ hostIPC : false
47+ hostNetwork : false
Original file line number Diff line number Diff line change 1+ kind : Role
2+ apiVersion : rbac.authorization.k8s.io/v1
3+ metadata :
4+ name : psp-restricted-role
5+ namespace : restricted
6+ rules :
7+ - apiGroups : ['policy']
8+ resources : ['podsecuritypolicies']
9+ resourceNames : ['psp-restricted']
10+ verbs : ['use']
11+ ---
12+ kind : Role
13+ apiVersion : rbac.authorization.k8s.io/v1
14+ metadata :
15+ name : psp-privileged-role
16+ namespace : privileged
17+ rules :
18+ - apiGroups : ['policy']
19+ resources : ['podsecuritypolicies']
20+ resourceNames : ['psp-privileged']
21+ verbs : ['use']
22+ ---
23+ apiVersion : rbac.authorization.k8s.io/v1
24+ kind : RoleBinding
25+ metadata :
26+ name : psp-restricted-rolebinding
27+ namespace : restricted
28+ roleRef :
29+ apiGroup : rbac.authorization.k8s.io
30+ kind : Role
31+ name : psp-restricted-role
32+ subjects :
33+ - kind : ServiceAccount
34+ name : restricted-sa
35+ namespace : restricted
36+ ---
37+ apiVersion : rbac.authorization.k8s.io/v1
38+ kind : RoleBinding
39+ metadata :
40+ name : psp-privileged-rolebinding
41+ namespace : privileged
42+ roleRef :
43+ apiGroup : rbac.authorization.k8s.io
44+ kind : Role
45+ name : psp-privileged-role
46+ subjects :
47+ - kind : ServiceAccount
48+ name : privileged-sa
49+ namespace : privileged
Original file line number Diff line number Diff line change 1+ kind : ServiceAccount
2+ apiVersion : v1
3+ metadata :
4+ name : restricted-sa
5+ namespace : restricted
6+ ---
7+ kind : ServiceAccount
8+ apiVersion : v1
9+ metadata :
10+ name : privileged-sa
11+ namespace : privileged
Original file line number Diff line number Diff line change @@ -4,6 +4,7 @@ metadata:
44 name : my-busybox
55 namespace : psp-test
66spec :
7+ serviceAccountName : psp-test-sa
78 containers :
89 - name : my-busybox-container
910 image : busybox
Load Diff This file was deleted.
You can’t perform that action at this time.
0 commit comments