apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-network-dns-policy namespace: kube-system spec: ingress: - ports: - port: 53 protocol: TCP - port: 53 protocol: UDP podSelector: matchLabels: k8s-app: kube-dns policyTypes: - Ingress --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: cis1.5-compliant-psp spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - cis1.5-compliant-psp --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted labels: addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:restricted subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-system spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-system --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: default spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: default --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-public spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-public --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: system-unrestricted-psp spec: allowPrivilegeEscalation: true allowedCapabilities: - '*' fsGroup: rule: RunAsAny hostIPC: true hostNetwork: true hostPID: true hostPorts: - max: 65535 min: 0 privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system-unrestricted-node-psp-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system-unrestricted-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system-unrestricted-psp-role rules: - apiGroups: - policy resourceNames: - system-unrestricted-psp resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system-unrestricted-svc-acct-psp-rolebinding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system-unrestricted-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts --- # Reference https://rancher.com/docs/k3s/latest/en/security/hardening_guide/#networkpolicies apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-svclbtraefik-ingress namespace: kube-system spec: podSelector: matchLabels: app: svclb-traefik ingress: - {} policyTypes: - Ingress --- # Reference https://rancher.com/docs/k3s/latest/en/security/hardening_guide/#networkpolicies apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-metrics-server namespace: kube-system spec: podSelector: matchLabels: k8s-app: metrics-server ingress: - {} policyTypes: - Ingress ---