forked from rancher/rancher
-
Notifications
You must be signed in to change notification settings - Fork 1
/
podsecuritypolicytemplate_data.go
113 lines (107 loc) · 2.88 KB
/
podsecuritypolicytemplate_data.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package app
import (
"fmt"
v3 "github.com/rancher/types/apis/management.cattle.io/v3"
"github.com/rancher/types/config"
v1 "k8s.io/api/core/v1"
"k8s.io/api/extensions/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const runAsAny = "RunAsAny"
const mustRunAs = "MustRunAs"
func addDefaultPodSecurityPolicyTemplates(management *config.ManagementContext) error {
pspts := management.Management.PodSecurityPolicyTemplates("")
policies := []*v3.PodSecurityPolicyTemplate{
{
ObjectMeta: v12.ObjectMeta{
Name: "unrestricted",
},
Spec: v1beta1.PodSecurityPolicySpec{
Privileged: true,
AllowPrivilegeEscalation: toBoolPtr(true),
AllowedCapabilities: []v1.Capability{
"*",
},
Volumes: []v1beta1.FSType{
"*",
},
HostNetwork: true,
HostPorts: []v1beta1.HostPortRange{
{Min: 0, Max: 65535},
},
HostIPC: true,
HostPID: true,
RunAsUser: v1beta1.RunAsUserStrategyOptions{
Rule: runAsAny,
},
SELinux: v1beta1.SELinuxStrategyOptions{
Rule: runAsAny,
},
SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
Rule: runAsAny,
},
FSGroup: v1beta1.FSGroupStrategyOptions{
Rule: runAsAny,
},
},
Description: "This is the default unrestricted Pod Security Policy Template. It is the most permissive " +
"Pod Security Policy that can be created in Kubernetes and is equivalent to running Kubernetes " +
"without Pod Security Policies enabled.",
},
{
ObjectMeta: v12.ObjectMeta{
Name: "restricted",
},
Spec: v1beta1.PodSecurityPolicySpec{
Privileged: false,
AllowPrivilegeEscalation: toBoolPtr(false),
RequiredDropCapabilities: []v1.Capability{
"ALL",
},
Volumes: []v1beta1.FSType{
"configMap",
"emptyDir",
"projected",
"secret",
"downwardAPI",
"persistentVolumeClaim",
},
HostNetwork: false,
HostIPC: false,
HostPID: false,
RunAsUser: v1beta1.RunAsUserStrategyOptions{
Rule: runAsAny,
},
SELinux: v1beta1.SELinuxStrategyOptions{
Rule: runAsAny,
},
SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
Rule: mustRunAs,
Ranges: []v1beta1.IDRange{
{Min: 1, Max: 65535},
},
},
FSGroup: v1beta1.FSGroupStrategyOptions{
Rule: mustRunAs,
Ranges: []v1beta1.IDRange{
{Min: 1, Max: 65535},
},
},
ReadOnlyRootFilesystem: false,
},
Description: "This is the default restricted Pod Security Policy Template. It restricts many user " +
"actions and does not allow privilege escalation.",
},
}
for _, policy := range policies {
_, err := pspts.Create(policy)
if err != nil && !errors.IsAlreadyExists(err) {
return fmt.Errorf("error creating default pspt: %v", err)
}
}
return nil
}
func toBoolPtr(boolean bool) *bool {
return &boolean
}