/* * Copyright © 2020 Atomist, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import * as k8s from "@pulumi/kubernetes"; import * as pulumi from "@pulumi/pulumi"; import { specResourceName } from "./spec"; /** Arguments to pod security policy functions. */ export interface PodSecurityPolicyArgs { /** Kubernetes provider */ provider: k8s.Provider; /** Optional name of resource to create. */ name?: string; /** * Options to use when creating the resources. The Kubernetes * provider will be automatically set as the provider. */ options?: pulumi.CustomResourceOptions; } /** * Create the customer-restricted pod security policy. */ export function podSecurityPolicyCustomerRestricted( args: PodSecurityPolicyArgs, ): k8s.policy.v1beta1.PodSecurityPolicy { return createPodSecurityPolicy({ name: args.name || "customer-restricted", options: args.options, provider: args.provider, spec: { allowPrivilegeEscalation: false, allowedCapabilities: [], allowedProcMountTypes: [], allowedUnsafeSysctls: [], defaultAddCapabilities: [ "CHOWN", "DAC_OVERRIDE", "FOWNER", "SETFCAP", "SETGID", "SETUID", ], defaultAllowPrivilegeEscalation: false, forbiddenSysctls: ["*"], fsGroup: { rule: "RunAsAny", }, hostIPC: false, hostNetwork: false, hostPID: false, privileged: false, readOnlyRootFilesystem: false, requiredDropCapabilities: ["ALL"], runAsGroup: { rule: "RunAsAny", }, runAsUser: { rule: "RunAsAny", }, runtimeClass: { allowedRuntimeClassNames: ["gvisor"], defaultRuntimeClassName: "gvisor", }, seLinux: { rule: "RunAsAny", }, supplementalGroups: { rule: "RunAsAny", }, volumes: ["emptyDir", "secret"], }, }); } /** * Create a network policy that allows ingress to an ingress * controller. */ export function podSecurityPolicyCustomerTrusted( args: PodSecurityPolicyArgs, ): k8s.policy.v1beta1.PodSecurityPolicy { return createPodSecurityPolicy({ name: args.name || "customer-trusted", options: args.options, provider: args.provider, spec: { allowPrivilegeEscalation: false, allowedCapabilities: [], allowedProcMountTypes: [], allowedUnsafeSysctls: [], defaultAddCapabilities: [ "AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "NET_RAW", "SETFCAP", "SETPCAP", "SETGID", "SETUID", "SYS_CHROOT", ], defaultAllowPrivilegeEscalation: false, forbiddenSysctls: ["*"], fsGroup: { rule: "RunAsAny", }, hostIPC: false, hostNetwork: false, hostPID: false, privileged: false, readOnlyRootFilesystem: false, requiredDropCapabilities: ["ALL"], runAsGroup: { rule: "RunAsAny", }, runAsUser: { rule: "RunAsAny", }, seLinux: { rule: "RunAsAny", }, supplementalGroups: { rule: "RunAsAny", }, volumes: ["emptyDir", "secret"], }, }); } /** Arguments to [[createNetworkPolicy]]. */ interface CreatePodSecurityPolicyArgs extends Required>, Pick { /** * Pod security policy spec property. */ spec: k8s.types.input.policy.v1beta1.PodSecurityPolicySpec; } /** * Create a pod security policy. */ function createPodSecurityPolicy( args: CreatePodSecurityPolicyArgs, ): k8s.policy.v1beta1.PodSecurityPolicy { const spec = { apiVersion: "policy/v1beta1" as const, kind: "PodSecurityPolicy" as const, metadata: { name: args.name, }, spec: args.spec, }; const resource = specResourceName(spec); if (!resource) { throw new Error( `Provided pod security policy spec is not complete: ${JSON.stringify( args.spec, )}`, ); } const options = { ...args.options, provider: args.provider }; return new k8s.policy.v1beta1.PodSecurityPolicy(resource, spec, options); }