From a865d82ed202d4217f4b03b2d176d08b25826c66 Mon Sep 17 00:00:00 2001 From: Sabbir Ahmed Shameem <145862004+SAShameem@users.noreply.github.com> Date: Mon, 6 May 2024 21:52:15 +0600 Subject: [PATCH] Create kind-with-namespace-level-baseline-pod-security.sh --- ...h-namespace-level-baseline-pod-security.sh | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 content/bn/examples/security/kind-with-namespace-level-baseline-pod-security.sh diff --git a/content/bn/examples/security/kind-with-namespace-level-baseline-pod-security.sh b/content/bn/examples/security/kind-with-namespace-level-baseline-pod-security.sh new file mode 100644 index 0000000000..637e23df51 --- /dev/null +++ b/content/bn/examples/security/kind-with-namespace-level-baseline-pod-security.sh @@ -0,0 +1,42 @@ +#!/bin/sh +kind create cluster --name psa-ns-level +kubectl cluster-info --context kind-psa-ns-level +# Wait for 15 seconds (arbitrary) for ServiceAccount Admission Controller to be available +sleep 15 + +# Create and label the namespace +kubectl create ns example || exit 1 # if namespace exists, don't do the next steps +kubectl label --overwrite ns example \ + pod-security.kubernetes.io/enforce=baseline \ + pod-security.kubernetes.io/enforce-version=latest \ + pod-security.kubernetes.io/warn=restricted \ + pod-security.kubernetes.io/warn-version=latest \ + pod-security.kubernetes.io/audit=restricted \ + pod-security.kubernetes.io/audit-version=latest + +# Try running a Pod +cat <<EOF | +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - image: nginx + name: nginx + ports: + - containerPort: 80 +EOF +kubectl apply -n example -f - + +# Await input +sleep 1 +( bash -c 'true' 2>/dev/null && bash -c 'read -p "Press any key to continue... " -n1 -s' ) || \ + ( printf "Press Enter to continue... " && read ) 1>&2 + +# Clean up +printf "\n\nCleaning up:\n" 1>&2 +set -e +kubectl delete pod --all -n example --now +kubectl delete ns example +kind delete cluster --name psa-ns-level