I hereby claim:
- I am maxgio92 on github.
- I am maxgio (https://keybase.io/maxgio) on keybase.
- I have a public key ASB2cXvOUeybccGKDoNQ0It1Bp2ZGLfiov-KPtojlOCxmQo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#!/bin/sh | |
# Get Arch Linux rootfs | |
mkdir rootfs && \ | |
docker export \ | |
$(docker create archlinux:latest) \ | |
> archlinux-rootfs.x86_64.tar | |
mv archlinux-rootfs.x86_64.tar /mount/c/Users/myuser/archlinux-rootfs.x86_64.tar | |
# Import Arch Linux rootfs on a new WSL instance (on Windows) |
apiVersion: apiserver.config.k8s.io/v1 | |
kind: EncryptionConfiguration | |
resources: | |
- resources: | |
- secrets | |
providers: | |
- aescbc: | |
keys: | |
- name: key1 | |
secret: <BASE 64 ENCODED SECRET> |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- cluster: | |
server: http://<ip_of_falco>:8765/k8s_audit | |
name: falco | |
contexts: | |
- context: | |
cluster: falco | |
user: "" |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
rules: | |
# The following requests were manually identified as high-volume and low-risk, | |
# so drop them. | |
- level: None | |
users: ["system:kube-proxy"] | |
verbs: ["watch"] | |
resources: | |
- group: "" # core |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: my-psp-hostpaths | |
# ... | |
spec: | |
# ... | |
allowedHostPaths: | |
- pathPrefix: "/example" | |
readOnly: true |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: my-psp-ro-rootfs | |
# ... | |
spec: | |
# ... | |
readOnlyRootFilesystem: false | |
# ... |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: my-secure-pod | |
spec: | |
containers: | |
# ... | |
securityContext: | |
readOnlyRootFilesystem: true | |
# ... |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: my-pod | |
spec: | |
serviceAccountName: build-robot | |
automountServiceAccountToken: false |