From e6913b141ced34bca44755c7439d94cc2e8572b1 Mon Sep 17 00:00:00 2001
From: Ben Fuller <bfuller@pivotal.io>
Date: Tue, 19 Feb 2019 15:44:06 -0700
Subject: [PATCH] add pod security policy

---
 k8s/backend-deployment.yaml  |  1 +
 k8s/cluster-role.yaml        | 13 +++++++++++++
 k8s/frontend-deployment.yaml |  1 +
 k8s/psp.yaml                 | 17 +++++++++++++++++
 k8s/role-binding.yaml        | 13 +++++++++++++
 k8s/service-account.yaml     |  4 ++++
 6 files changed, 49 insertions(+)
 create mode 100644 k8s/cluster-role.yaml
 create mode 100644 k8s/psp.yaml
 create mode 100644 k8s/role-binding.yaml
 create mode 100644 k8s/service-account.yaml

diff --git a/k8s/backend-deployment.yaml b/k8s/backend-deployment.yaml
index 9398694..fa8caa4 100644
--- a/k8s/backend-deployment.yaml
+++ b/k8s/backend-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: pong-backend
     spec:
+      serviceAccountName: queue-app
       containers:
       - name: queue-backend
         image: benjamintf1/queue-backend:latest
diff --git a/k8s/cluster-role.yaml b/k8s/cluster-role.yaml
new file mode 100644
index 0000000..7dad200
--- /dev/null
+++ b/k8s/cluster-role.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: queue-app
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - queue-app
+  verbs:
+  - use
diff --git a/k8s/frontend-deployment.yaml b/k8s/frontend-deployment.yaml
index 9b80fad..57aa32a 100644
--- a/k8s/frontend-deployment.yaml
+++ b/k8s/frontend-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: pong-frontend
     spec:
+      serviceAccountName: queue-app
       containers:
       - name: queue-frontend
         image: benjamintf1/queue-frontend:latest
diff --git a/k8s/psp.yaml b/k8s/psp.yaml
new file mode 100644
index 0000000..4926eee
--- /dev/null
+++ b/k8s/psp.yaml
@@ -0,0 +1,17 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: queue-app
+spec:
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+
diff --git a/k8s/role-binding.yaml b/k8s/role-binding.yaml
new file mode 100644
index 0000000..5932968
--- /dev/null
+++ b/k8s/role-binding.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: queue-app
+subjects:
+- kind: ServiceAccount
+  name: queue-app
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: queue-app
+  apiGroup: rbac.authorization.k8s.io
+
diff --git a/k8s/service-account.yaml b/k8s/service-account.yaml
new file mode 100644
index 0000000..c633300
--- /dev/null
+++ b/k8s/service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: queue-app