You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Enabling Pod Security Policies in Docker for Desktop

docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
172730635f67: Pull complete 
Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff
Status: Downloaded newer image for debian:latest
/ # 
/ # 
/ # vi /etc/kubernetes/manifests/kube-apiserver.yaml



apiVersion: v1                                                                  
kind: Pod                                                                       
metadata:                                                                       
  annotations:                                                                  
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.65.
  creationTimestamp: null                                                      
  labels:                                                                      
    component: kube-apiserver                                                  
    tier: control-plane                                                        
  name: kube-apiserver                                                         
  namespace: kube-system                                                       
spec:                                                                          
  containers:                                                                  
  - command:                                                                   
    - kube-apiserver                                                           
    - --advertise-address=192.168.65.4                                         
    - --allow-privileged=true                                                  
    - --authorization-mode=Node,RBAC                                           
    - --client-ca-file=/run/config/pki/ca.crt                                  
    - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy


Restart Docker for Desktop.


https://minikube.sigs.k8s.io/docs/tutorials/using_psp/


Sample PodSecurityPolicy - privileged

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    kubernetes.io/cluster-service: "true"
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: podsecuritypolicy:privileged
  labels:
    kubernetes.io/cluster-service: "true"    
rules:
- apiGroups:
  - policy
  resourceNames:
  - privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"   
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated
  • No labels

Copyright JMEHAN.COM