# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Adds selected PodSecurityPolicy constraints # https://cloud.google.com/anthos-config-management/docs/how-to/using-constraints-to-enforce-pod-security --- # prevent privileged containers apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container spec: enforcementAction: dryrun match: kinds: - apiGroups: [""] kinds: ["Pod"] excludedNamespaces: ["istio-egress", "istio-ingress", "istio-system", "kube-system"] --- # prevent hostPath volumes apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: enforcementAction: dryrun match: kinds: - apiGroups: [""] kinds: ["Pod"] excludedNamespaces: ["istio-egress", "istio-ingress", "istio-system", "kube-system"] parameters: allowedHostPaths: [] --- # prevent privilege escalation # Applied in tenant namespaces only apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: enforcementAction: dryrun match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaceSelector: matchLabels: tenant-ns: "true" --- # Require read only filesystem # Applied in tenant namespaces only apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: enforcementAction: dryrun match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaceSelector: matchLabels: tenant-ns: "true"