surajssd · October 22, 2018 18:17
diff --git a/testing-psp.sh b/testing-psp.sh
 echo "
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: privileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
 spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: privileged-psp
 rules:
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - privileged
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: privileged-psp-cluster-admins
 roleRef:
  kind: ClusterRole
  name: privileged-psp
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: Group
  name: system:serviceaccount:kube-system
  apiGroup: rbac.authorization.k8s.io
 " | kubectl apply -f -




 kubectl --kubeconfig kubeconfig create ns psp-testing
 kubectl --kubeconfig kubeconfig -n psp-testing run web --image httpd
 kubectl --kubeconfig kubeconfig -n psp-testing get deployment web -o jsonpath='{.status.conditions[-1:].message}'


 echo "
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: privileged-psp-cluster-admins
 roleRef:
  kind: ClusterRole
  name: privileged-psp
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: Group
  name: system:serviceaccounts:kube-system
  apiGroup: rbac.authorization.k8s.io
 " | kubectl apply -f -


 kubectl --kubeconfig kubeconfig create ns psp-testing2
 kubectl --kubeconfig kubeconfig -n psp-testing2 run web --image httpd
 kubectl --kubeconfig kubeconfig -n psp-testing2 get pods
	echo "
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: privileged
	annotations:
	seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
	spec:
	privileged: true
	allowPrivilegeEscalation: true
	allowedCapabilities:
	- '*'
	volumes:
	- '*'
	hostNetwork: true
	hostPorts:
	- min: 0
	max: 65535
	hostIPC: true
	hostPID: true
	runAsUser:
	rule: 'RunAsAny'
	seLinux:
	rule: 'RunAsAny'
	supplementalGroups:
	rule: 'RunAsAny'
	fsGroup:
	rule: 'RunAsAny'
	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: privileged-psp
	rules:
	- apiGroups: ['policy']
	resources: ['podsecuritypolicies']
	verbs: ['use']
	resourceNames:
	- privileged
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: privileged-psp-cluster-admins
	roleRef:
	kind: ClusterRole
	name: privileged-psp
	apiGroup: rbac.authorization.k8s.io
	subjects:
	- kind: Group
	name: system:serviceaccount:kube-system
	apiGroup: rbac.authorization.k8s.io
	" \| kubectl apply -f -




	kubectl --kubeconfig kubeconfig create ns psp-testing
	kubectl --kubeconfig kubeconfig -n psp-testing run web --image httpd
	kubectl --kubeconfig kubeconfig -n psp-testing get deployment web -o jsonpath='{.status.conditions[-1:].message}'


	echo "
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: privileged-psp-cluster-admins
	roleRef:
	kind: ClusterRole
	name: privileged-psp
	apiGroup: rbac.authorization.k8s.io
	subjects:
	- kind: Group
	name: system:serviceaccounts:kube-system
	apiGroup: rbac.authorization.k8s.io
	" \| kubectl apply -f -


	kubectl --kubeconfig kubeconfig create ns psp-testing2
	kubectl --kubeconfig kubeconfig -n psp-testing2 run web --image httpd
	kubectl --kubeconfig kubeconfig -n psp-testing2 get pods