Minikube Setup
https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
Basic Setup of privileged and restricted PSPs
--- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: addonmanager.kubernetes.io/mode: EnsureExists spec: privileged: true allowPrivilegeEscalation: true allowedCapabilities: - "*" volumes: - "*" hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted labels: addonmanager.kubernetes.io/mode: EnsureExists spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:privileged labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - privileged --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - restricted --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:restricted subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default:privileged namespace: kube-system labels: addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:privileged subjects: - kind: Group name: system:masters: apiGroup: rbac.authorization.k8s.io - kind: Group name: system:nodes apiGroup: rbac.authorization.k8s.io - kind: Group name: system:serviceaccounts:kube-system apiGroup: rbac.authorization.k8s.io
Docker for Desktop Setup - Doesn't Work
Enabling Pod Security Policies in Docker for Desktop
docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Unable to find image 'debian:latest' locally latest: Pulling from library/debian 172730635f67: Pull complete Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff Status: Downloaded newer image for debian:latest / # / # / # vi /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.65. creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=192.168.65.4 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/run/config/pki/ca.crt - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
Restart Docker for Desktop.