Kubernetes config files are long/verbose enough as it is and a lot of the time it's just the same boilerplate repeated over and over.
PodPreset currently in alpha, for volumes and env
NetworkPolicy needs support from CNI
Wishlist: readiness/liveliness probe and securitycontext
LimitRange can set per namespace defaults and limits on resource requests and limits. This is nice in that it fails closed, ie the default is applied unless explicitly overrriden.
Note: policies do not get retroactively applied.
1apiVersion: v1
2kind: LimitRange
3metadata:
4 name: default-limitrange
5spec:
6 limits:
7 - type: Container
8 default:
9 cpu: 100m
10 memory: 100Mi
11 defaultRequest:
12 cpu: 50m
13 memory: 50Mi
14 # min:
15 # max:
PodSecurutyPolicy is tied to service accounts, one can be bound to the default service account. This is less nice as specifying a different service account will bypass this policy. Instead policies have to be enforced by an Admission Controller.
Note: default and additional capabilities
1apiVersion: policy/v1beta1
2kind: PodSecurityPolicy
3metadata:
4 annotations:
5 seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
6 seccomp.security.alpha.kubernetes.io/defaultProfileName: "runtime/default"
7 apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"
8 apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"
9 name: default-security
10spec:
11 # # user
12 runAsGroup:
13 rule: "MustRunAs"
14 ranges:
15 - min: 1
16 max: 65535
17 runAsUser:
18 rule: "MustRunAsNonRoot"
19 fsGroup:
20 rule: "MustRunAs"
21 ranges:
22 - min: 1
23 max: 65535
24 supplementalGroups:
25 rule: "MustRunAs"
26 ranges:
27 - min: 1
28 max: 65535
29 # # privilege
30 privileged: false
31 allowPrivilegeEscalation: false
32 defaultAllowPrivilegeEscalation: false
33 # # host
34 hostIPC: false
35 hostNetwork: false
36 hostPID: false
37 hostPorts: []
38 # allowedHostPaths: []
39 # allowedProcMountTypes: []
40 # allowedUnsafeSysctls: []
41 # forbiddenSysctls: []
42 seLinux:
43 rule: "RunAsAny"
44 # # capabilities
45 # allowedCapabilities:
46 # defaultAddCapabilities:
47 requiredDropCapabilities:
48 - ALL
49 # # Default set from Docker, without DAC_OVERRIDE or CHOWN
50 # - FOWNER
51 # - FSETID
52 # - KILL
53 # - SETGID
54 # - SETUID
55 # - SETPCAP
56 # - NET_BIND_SERVICE
57 # - NET_RAW
58 # - SYS_CHROOT
59 # - MKNOD
60 # - AUDIT_WRITE
61 # - SETFCAP
62 # # filesystem
63 readOnlyRootFilesystem: false
64 volumes: [] # may want to relax this for configMap / persistentVolumeClaim / ...
65---
66apiVersion: rbac.authorization.k8s.io/v1
67kind: Role
68metadata:
69 name: default-security
70rules:
71 - apiGroups:
72 - policy
73 resources:
74 - podsecuritypolicies
75 verbs:
76 - use
77 resourceNames:
78 - default-security
79---
80apiVersion: rbac.authorization.k8s.io/v1beta1
81kind: RoleBinding
82metadata:
83 name: default-security
84roleRef:
85 apiGroup: rbac.authorization.k8s.io
86 kind: Role
87 name: default-security
88subjects:
89 - kind: ServiceAccount
90 name: default