feat: psp with rbac

deploy.yaml

@@ -18,12 +18,9 @@ spec:
     spec:
       containers:
       - name: hello
-        image: ironcore864/k8s-security-demo:pod-as-non-root
+        image: ironcore864/k8s-security-demo:pod-as-root
         ports:
           - containerPort: 8080
-        securityContext:
-          runAsNonRoot: True
-          readOnlyRootFilesystem: True
 ---
 kind: Service
 apiVersion: v1

psp.yaml

@@ -0,0 +1,22 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: restricted
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: 'MustRunAsNonRoot'
+  fsGroup:
+    rule: RunAsAny
+  readOnlyRootFilesystem: false

rbac.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fake-user
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fake-editor
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: fake-user
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:unprivileged
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - restricted
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fake-user:psp:unprivileged
+roleRef:
+  kind: ClusterRole
+  name: psp:unprivileged
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize specific service accounts (not recommended):
+- kind: ServiceAccount
+  name: fake-user
+  namespace: default