Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PodSecurityPolicy #279

Open
olofwalker opened this issue Jun 19, 2019 · 0 comments
Open

PodSecurityPolicy #279

olofwalker opened this issue Jun 19, 2019 · 0 comments

Comments

@olofwalker
Copy link
Contributor

Hi,

I've implemented PodSecurityPolicy as a standalone object in our project that uses Skuber, in the end, for different reasons, we decided not to use this solution so we removed the code from the project.

Working towards deadlines I cant provide a full PR for it, but I hope that by including the code I've used in this issue it would make it easy for someone looking to use this with Skuber in the future or provide a proper PR.

/**
 * PodSecurityPolicy
 */
case class PodSecurityPolicy(
    val kind: String = "PodSecurityPolicy",
    override val apiVersion: String = "extensions/v1beta1",
    val metadata: ObjectMeta,
    spec: Option[PodSecurityPolicy.Spec] = None)
  extends ObjectResource with Limitable

object PodSecurityPolicy {
  val specification = NonCoreResourceSpecification(
    version = Some("v1beta1"),
    apiGroup = "extensions",
    versions = List.empty,
    scope = ResourceSpecification.Scope.Cluster,
    names = ResourceSpecification.Names(plural = "podsecuritypolicies", singular = "podsecuritypolicy", kind = "PodSecurityPolicy", shortNames = List("psp")),
    subresources = None
  )

  case class AllowedFlexVolumes(driver: String)
  case class AllowedHostPath(pathPrefix: String, readOnly: Boolean)
  case class AllowedCSIDriver(name: String)
  case class PortRange(min: Int, max: Int)
  case class Range(min: Int, max: Int)
  case class FsGroupStrategyOptions(rule: String, ranges: Option[Range])
  case class HostPortRange(privileged: String, readOnlyRootFilesystem: String, range: PortRange)
  case class RunAsUserStrategyOptions(rule: String, ranges: Option[Range])
  case class RunAsGroupStrategyOptions(rule: String, ranges: Option[Range])
  case class SeLinuxOptions(level: Option[String], role: Option[String], tsomype: Option[String], user: Option[String])
  case class SeLinuxStrategyOptions(rule: String, seLinuxOptions: Option[SeLinuxOptions])
  case class SupplementalGroupsStrategyOptions(rule: String, ranges: Option[Range])

  val MustRunAsNonRoot = "MustRunAsNonRoot"
  val RunAsAny = "RunAsAny"
  val MustRunAs = "MustRunAs"

  case class Spec(
      allowPrivilegeEscalation: Boolean = false,
      allowedCSIDrivers: Option[List[AllowedCSIDriver]] = None,
      allowedCapabilities: Option[List[String]] = None,
      allowedFlexVolumes: Option[List[AllowedFlexVolumes]] = None,
      allowedHostPaths: Option[List[AllowedHostPath]] = None,
      allowedProcMountTypes: Option[List[String]] = None,
      allowedUnsafeSysctls: Option[List[String]] = None,
      defaultAddCapabilities: Option[List[String]] = None,
      defaultAllowPrivilegeEscalation: Boolean = false,
      forbiddenSysctls: Option[List[String]] = None,
      fsGroup: FsGroupStrategyOptions,
      hostIPC: Boolean = false,
      hostNetwork: Boolean = false,
      hostPID: Boolean = false,
      privileged: Boolean = false,
      readOnlyRootFilesystem: Boolean = false,
      hostPorts: Option[HostPortRange] = None,
      requiredDropCapabilities: Option[List[String]] = None,
      runAsGroup: Option[RunAsGroupStrategyOptions] = None,
      runAsUser: RunAsUserStrategyOptions,
      seLinux: SeLinuxStrategyOptions,
      supplementalGroups: SupplementalGroupsStrategyOptions,
      volumes: Option[List[String]] = None
  )

  implicit val allowedFlexVolumesFmt: Format[AllowedFlexVolumes] = Json.format[AllowedFlexVolumes]
  implicit val allowedHostPathFmt: Format[AllowedHostPath] = Json.format[AllowedHostPath]
  implicit val allowedCSIDriverFmt: Format[AllowedCSIDriver] = Json.format[AllowedCSIDriver]
  implicit val portRangeFmt: Format[PortRange] = Json.format[PortRange]
  implicit val rangeFmt: Format[Range] = Json.format[Range]
  implicit val hostPortRangeFmt: Format[HostPortRange] = Json.format[HostPortRange]
  implicit val fsGroupStrategyOptionsFmt: Format[FsGroupStrategyOptions] = Json.format[FsGroupStrategyOptions]
  implicit val runAsUserStrategyOptionsFmt: Format[RunAsUserStrategyOptions] = Json.format[RunAsUserStrategyOptions]
  implicit val runAsGroupStrategyOptionsFmt: Format[RunAsGroupStrategyOptions] = Json.format[RunAsGroupStrategyOptions]
  implicit val seLinuxOptionsFmt: Format[SeLinuxOptions] = Json.format[SeLinuxOptions]
  implicit val seLinuxStrategyOptionsFmt: Format[SeLinuxStrategyOptions] = Json.format[SeLinuxStrategyOptions]
  implicit val supplementalGroupsStrategyOptionsFmt: Format[SupplementalGroupsStrategyOptions] = Json.format[SupplementalGroupsStrategyOptions]

  implicit val specFmt: Format[Spec] = Json.format[Spec]
  implicit val pspFmt: Format[PodSecurityPolicy] = Json.format[PodSecurityPolicy]
  implicit val pspDef = new ResourceDefinition[PodSecurityPolicy]() { def spec = specification }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant