Browse Source

notes

master
Nemo 2 years ago
parent
commit
99c1adface
4 changed files with 43 additions and 3 deletions
  1. +9
    -0
      04-ADMISSION.md
  2. +5
    -3
      resources/alpine-privileged.yml
  3. +8
    -0
      webhook/svc.yml
  4. +21
    -0
      webhook/validating-webhook-configuration.yaml

+ 9
- 0
04-ADMISSION.md View File

@ -0,0 +1,9 @@
# Admission Controllers
## References:
- https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy
## Pod Security Policy
`kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/docs/concepts/policy/restricted-psp.yaml`

resources/busybox.yml → resources/alpine-privileged.yml View File

@ -1,14 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: alpine
name: attacker-pod-privileged
namespace: attacker
spec:
containers:
- image: alpine:3.6
- image: redis:alpine
command:
- sleep
- "3600"
imagePullPolicy: IfNotPresent
name: alpine
name: attacker-pod
securityContext:
runAsUser: 1000
restartPolicy: Always

+ 8
- 0
webhook/svc.yml View File

@ -0,0 +1,8 @@
kind: "Service"
apiVersion: "v1"
metadata:
name: "kib"
spec:
type: ExternalName
externalName: kib.bb8.fun
selector: {}

+ 21
- 0
webhook/validating-webhook-configuration.yaml View File

@ -0,0 +1,21 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ExternalAdmissionHookConfiguration
metadata:
name: image-bouncer-webook
externalAdmissionHooks:
- name: image-bouncer-webhook.suse.nue.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
failurePolicy: Ignore
clientConfig:
caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVVFA3WVZsZm9IazJiR1RHR3BmZEE4QnFwb1lzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2ZqRUxNQWtHQTFVRUJoTUNSRVV4RWpBUUJnTlZCQWdUQ1VaeVlXNWpiMjVwWVRFU01CQUdBMVVFQnhNSgpUblZ5WlcxaVpYSm5NUTB3Q3dZRFZRUUtFd1JUVlZORk1Rd3dDZ1lEVlFRTERBTlNKa1F4S2pBb0JnTlZCQU1UCklXbHRZV2RsTFdKdmRXNWpaWEl0ZDJWaWFHOXZheTVrWldaaGRXeDBMbk4yWXpBZUZ3MHhPREF4TWpReE56UTEKTURCYUZ3MHlNekF4TWpNeE56UTFNREJhTUg0eEN6QUpCZ05WQkFZVEFrUkZNUkl3RUFZRFZRUUlFd2xHY21GdQpZMjl1YVdFeEVqQVFCZ05WQkFjVENVNTFjbVZ0WW1WeVp6RU5NQXNHQTFVRUNoTUVVMVZUUlRFTU1Bb0dBMVVFCkN3d0RVaVpFTVNvd0tBWURWUVFERXlGcGJXRm5aUzFpYjNWdVkyVnlMWGRsWW1odmIyc3VaR1ZtWVhWc2RDNXoKZG1Nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzWE1iS0czcjI4NVpsWmdqOApLa2doTGd2TTAyaGJUWUY5dzdwd05GWHdDSXVtTmRnaEUvcHh3NmVUdkxpZW1YTlRvL1VEaGpqZ3JoK292ZGcvCnpoQ0xzKy91UUpxUDY4UU14TUxlMGxMYnRIYkhjZkJ2OGZEdDM5TTBsS1ZBdmRORER2WTVoUkhvVWxGcExZMlYKSmtvUmRTUVNoeFBHK0ZJdWhwUGtIM29NZGtIRFlETjhKVTBsV3hWWStqd2VkY3dOM3R2RDRUb0ZJb3VTYkdNRwprVGQ0VXhDa2R5TVI4dnlzMms1VWxwMmY3RW9qRXIvTTJKVzhZOVU2MGJnS29RZnJUTzJhWWoweTdGUllTVUt6CmtUTUpHMjBNcC9ubFM3eWF5SjVzTVlwdHRUUGcyVFRiRkpKR1Jvc2JQNWdJeDdoRThveURjblFvb1pjWkFuVWcKUHJyZEFnTUJBQUdqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwRwpBMVVkRGdRV0JCUlVISlNoN3dZTnQwWVA2UzNUdWZ2eWRac2hZakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCmJJOFZKNU8vTVNxU2dKM0dMZjNJc2l3Z01BNStOVDQ5QUxVcVdtS2hjTGpjTFZodE1UNFRab2Zrc2tGajBUbFMKTy9ZL0R5NHB3QmlJeG5aaS9aemc3SDhHTmpEb1V1Q2VYYUxwYTJDeTJrcUdNc25LQXc0R1NwbXB3WDFGQkJGRgprUDZXTjJBUUxjaDZzWGFSNTE0ZHRVTmgxZUJMT0xNZHFmR1M5RC9UVnI5NjhvcDVCbW5QSGJSSXljNnlLcENHCjh1M2VicE1JWmNGanVrNm40Y092MFZkYldXWlNEWGhwbWh5alBKSmxXc0Vib3dZQjdpWllLajJoMmMxcmhRcDcKaS8vRjBHWjQzdjNWak8vb05haHg5Q2NRSU52WlVwWFd3aWRkUHd5OG04OE5HcjF3ZGo0MEozOHR2emN3Nm5vTAppeTNzZ0hubHp6a2RMM0E0NEx5ekFRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
service:
name: kib
namespace: default

Loading…
Cancel
Save