Created
October 23, 2020 15:12
-
-
Save PhilipSchmid/8e3305f14818be271f8ee969a17e6b90 to your computer and use it in GitHub Desktop.
A (more or less) complete RBAC example for Kubernetes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |
| # Attention: This PSP has quite some loose restrictions! Do not just copy & paste it! | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: example | |
| spec: | |
| allowPrivilegeEscalation: true | |
| allowedCapabilities: | |
| - '*' | |
| fsGroup: | |
| rule: RunAsAny | |
| hostNetwork: true | |
| privileged: true | |
| runAsUser: | |
| rule: RunAsAny | |
| seLinux: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| rule: RunAsAny | |
| volumes: | |
| - '*' | |
| --- | |
| # https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: exampletest | |
| namespace: default | |
| --- | |
| # Can sometimes also be a ClusterRole - depending on the use case. | |
| # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: exampletest-role | |
| namespace: default | |
| rules: | |
| - apiGroups: | |
| - policy | |
| resources: | |
| - podsecuritypolicies | |
| verbs: | |
| - use | |
| resourceNames: | |
| - example | |
| --- | |
| # Can sometimes also be a ClusterBinding - depending on the use case. | |
| # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: exampletest-rolebinding | |
| namespace: default | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: exampletest-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: exampletest | |
| namespace: default | |
| --- | |
| # Required with the RBAC stuff above -> ServiceAccount: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ | |
| # Optional -> SecurityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | |
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: exampletest | |
| namespace: default | |
| spec: | |
| serviceAccountName: exampletest | |
| containers: | |
| - args: | |
| - "/bin/sleep" | |
| - "3600" | |
| image: alpine:3.12 | |
| name: exampletest | |
| securityContext: | |
| privileged: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment