diff --git a/04-ADMISSION.md b/04-ADMISSION.md new file mode 100644 index 0000000..7f14365 --- /dev/null +++ b/04-ADMISSION.md @@ -0,0 +1,9 @@ +# Admission Controllers + +## References: + +- https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy + +## Pod Security Policy + +`kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/docs/concepts/policy/restricted-psp.yaml` \ No newline at end of file diff --git a/resources/busybox.yml b/resources/alpine-privileged.yml similarity index 51% rename from resources/busybox.yml rename to resources/alpine-privileged.yml index 4442eca..ded516a 100644 --- a/resources/busybox.yml +++ b/resources/alpine-privileged.yml @@ -1,14 +1,16 @@ apiVersion: v1 kind: Pod metadata: - name: alpine + name: attacker-pod-privileged namespace: attacker spec: containers: - - image: alpine:3.6 + - image: redis:alpine command: - sleep - "3600" imagePullPolicy: IfNotPresent - name: alpine + name: attacker-pod + securityContext: + runAsUser: 1000 restartPolicy: Always \ No newline at end of file diff --git a/webhook/svc.yml b/webhook/svc.yml new file mode 100644 index 0000000..403c2c1 --- /dev/null +++ b/webhook/svc.yml @@ -0,0 +1,8 @@ +kind: "Service" +apiVersion: "v1" +metadata: + name: "kib" +spec: + type: ExternalName + externalName: kib.bb8.fun + selector: {} \ No newline at end of file diff --git a/webhook/validating-webhook-configuration.yaml b/webhook/validating-webhook-configuration.yaml new file mode 100644 index 0000000..c1d5dc7 --- /dev/null +++ b/webhook/validating-webhook-configuration.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ExternalAdmissionHookConfiguration +metadata: + name: image-bouncer-webook +externalAdmissionHooks: + - name: image-bouncer-webhook.suse.nue.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + failurePolicy: Ignore + clientConfig: + caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVVFA3WVZsZm9IazJiR1RHR3BmZEE4QnFwb1lzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2ZqRUxNQWtHQTFVRUJoTUNSRVV4RWpBUUJnTlZCQWdUQ1VaeVlXNWpiMjVwWVRFU01CQUdBMVVFQnhNSgpUblZ5WlcxaVpYSm5NUTB3Q3dZRFZRUUtFd1JUVlZORk1Rd3dDZ1lEVlFRTERBTlNKa1F4S2pBb0JnTlZCQU1UCklXbHRZV2RsTFdKdmRXNWpaWEl0ZDJWaWFHOXZheTVrWldaaGRXeDBMbk4yWXpBZUZ3MHhPREF4TWpReE56UTEKTURCYUZ3MHlNekF4TWpNeE56UTFNREJhTUg0eEN6QUpCZ05WQkFZVEFrUkZNUkl3RUFZRFZRUUlFd2xHY21GdQpZMjl1YVdFeEVqQVFCZ05WQkFjVENVNTFjbVZ0WW1WeVp6RU5NQXNHQTFVRUNoTUVVMVZUUlRFTU1Bb0dBMVVFCkN3d0RVaVpFTVNvd0tBWURWUVFERXlGcGJXRm5aUzFpYjNWdVkyVnlMWGRsWW1odmIyc3VaR1ZtWVhWc2RDNXoKZG1Nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzWE1iS0czcjI4NVpsWmdqOApLa2doTGd2TTAyaGJUWUY5dzdwd05GWHdDSXVtTmRnaEUvcHh3NmVUdkxpZW1YTlRvL1VEaGpqZ3JoK292ZGcvCnpoQ0xzKy91UUpxUDY4UU14TUxlMGxMYnRIYkhjZkJ2OGZEdDM5TTBsS1ZBdmRORER2WTVoUkhvVWxGcExZMlYKSmtvUmRTUVNoeFBHK0ZJdWhwUGtIM29NZGtIRFlETjhKVTBsV3hWWStqd2VkY3dOM3R2RDRUb0ZJb3VTYkdNRwprVGQ0VXhDa2R5TVI4dnlzMms1VWxwMmY3RW9qRXIvTTJKVzhZOVU2MGJnS29RZnJUTzJhWWoweTdGUllTVUt6CmtUTUpHMjBNcC9ubFM3eWF5SjVzTVlwdHRUUGcyVFRiRkpKR1Jvc2JQNWdJeDdoRThveURjblFvb1pjWkFuVWcKUHJyZEFnTUJBQUdqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwRwpBMVVkRGdRV0JCUlVISlNoN3dZTnQwWVA2UzNUdWZ2eWRac2hZakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCmJJOFZKNU8vTVNxU2dKM0dMZjNJc2l3Z01BNStOVDQ5QUxVcVdtS2hjTGpjTFZodE1UNFRab2Zrc2tGajBUbFMKTy9ZL0R5NHB3QmlJeG5aaS9aemc3SDhHTmpEb1V1Q2VYYUxwYTJDeTJrcUdNc25LQXc0R1NwbXB3WDFGQkJGRgprUDZXTjJBUUxjaDZzWGFSNTE0ZHRVTmgxZUJMT0xNZHFmR1M5RC9UVnI5NjhvcDVCbW5QSGJSSXljNnlLcENHCjh1M2VicE1JWmNGanVrNm40Y092MFZkYldXWlNEWGhwbWh5alBKSmxXc0Vib3dZQjdpWllLajJoMmMxcmhRcDcKaS8vRjBHWjQzdjNWak8vb05haHg5Q2NRSU52WlVwWFd3aWRkUHd5OG04OE5HcjF3ZGo0MEozOHR2emN3Nm5vTAppeTNzZ0hubHp6a2RMM0E0NEx5ekFRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + service: + name: kib + namespace: default \ No newline at end of file