add pod security policy

Benjamintf1 · Feb 19, 2019 · e6913b1 · e6913b1
1 parent 3f17e92
commit e6913b1
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 0 deletions.
diff --git a/k8s/backend-deployment.yaml b/k8s/backend-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: pong-backend
     spec:
+      serviceAccountName: queue-app
       containers:
       - name: queue-backend
         image: benjamintf1/queue-backend:latest

diff --git a/k8s/cluster-role.yaml b/k8s/cluster-role.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: queue-app
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - queue-app
+  verbs:
+  - use
diff --git a/k8s/frontend-deployment.yaml b/k8s/frontend-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: pong-frontend
     spec:
+      serviceAccountName: queue-app
       containers:
       - name: queue-frontend
         image: benjamintf1/queue-frontend:latest

diff --git a/k8s/psp.yaml b/k8s/psp.yaml
@@ -0,0 +1,17 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: queue-app
+spec:
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+
diff --git a/k8s/role-binding.yaml b/k8s/role-binding.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: queue-app
+subjects:
+- kind: ServiceAccount
+  name: queue-app
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: queue-app
+  apiGroup: rbac.authorization.k8s.io
+
diff --git a/k8s/service-account.yaml b/k8s/service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: queue-app