apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
        name: permissive
    spec:
        privileged: true
hostNetwork: true
hostIPC: true
hostPID: true
seLinux:
    rule: RunAsAny
supplementalGroups:
    rule: RunAsAny
runAsUser:
    rule: RunAsAny
fsGroup:
    rule: RunAsAny
hostPorts:
    - min: 0
      max: 65535
volumes:
    - '*'

------

$ gcloudiam service-accounts create "${NAZWA_KONTA}" \
--display-name="${NAZWA_KONTA}"
$ gcloud projects add-iam-policy-binding "${ID_PROJEKTU}" \
--member "serviceAccount:${NAZWA_KONTA}@${ID_PROJEKTU}.iam.gserviceaccount.com" \
--role roles/logging.logWriter
$ gcloud projects add-iam-policy-binding "${ID_PROJEKTU}" \
--member "serviceAccount:${NAZWA_KONTA}@${ID_PROJEKTU}.iam.gserviceaccount.com" \
--role roles/monitoring.metricWriter
$ gcloud projects add-iam-policy-binding "${ID_PROJEKTU}" \
--member "serviceAccount:${NAZWA_KONTA}@${ID_PROJEKTU}.iam.gserviceaccount.com" \
--role roles/monitoring.viewer

------

$ gcloud container clusters update "${NAZWA_KLASTRA}" --update-addons=KubernetesDashboard=DISABLED

$ gcloud container clusters create "${NAZWA_KLASTRA}" \
--service-account="${NAZWA_KONTA}@${ID_PROJEKTU}.iam.gserviceaccount.com" \
--no-enable-legacy-authorization \
--disable-addons=KubernetesDashboard

$ gcloud container clusters create "${NAZWA_KLASTRA}" \
--project="${ID_PROJEKTU}" \
--zone="${OBSZAR}" \
--enable-network-policy

$ docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t
aquasec/kube-bench:latest <master|node>

$ kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest 
--restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": {\"hostPID\": true } }"
-- node --version 1.8

$ kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.8

$ kubectl get apiservices -o 'jsonpath= {range.items[?(@.spec.service.name!="")]}{.metadata.name}{"\n"}{end}'

