Minikube Setup
https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
Install minikube on Mac with Apple Silicon
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-darwin-arm64 sudo install minikube-darwin-arm64 /usr/local/bin/minikube
Start Minikube with Kubernetes version 1.21.5 running in Docker for Desktop.
minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy --driver=docker --alsologtostderr --kubernetes-version=v1.21.5
Basic Setup of privileged and restricted PSPs
--- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: addonmanager.kubernetes.io/mode: EnsureExists spec: privileged: true allowPrivilegeEscalation: true allowedCapabilities: - "*" volumes: - "*" hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted labels: addonmanager.kubernetes.io/mode: EnsureExists spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:privileged labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - privileged --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - restricted --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:restricted subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default:privileged namespace: kube-system labels: addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:privileged subjects: - kind: Group name: system:masters: apiGroup: rbac.authorization.k8s.io - kind: Group name: system:nodes apiGroup: rbac.authorization.k8s.io - kind: Group name: system:serviceaccounts:kube-system apiGroup: rbac.authorization.k8s.io
Docker for Desktop Setup - Doesn't Work
Enabling Pod Security Policies in Docker for Desktop
docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Unable to find image 'debian:latest' locally latest: Pulling from library/debian 172730635f67: Pull complete Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff Status: Downloaded newer image for debian:latest / # / # / # vi /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.65. creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=192.168.65.4 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/run/config/pki/ca.crt - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
Restart Docker for Desktop.
References
Reference | URL |
---|---|
Using Minikube with Pod Security Policies | https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ |
How to run a Minikube on Apple Silicon M1 | https://medium.com/@seohee.sophie.kwon/how-to-run-a-minikube-on-apple-silicon-m1-8373c248d669 |