You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
---apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'{% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'{% endif %} labels: kubernetes.io/cluster-service: 'true' addonmanager.kubernetes.io/mode: Reconcilespec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false{% if kube_version is version('v1.12.1', '>=') %} forbiddenSysctls: - '*'{% endif %}---apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcilespec: privileged: true allowPrivilegeEscalation: true allowedCapabilities: - '*' volumes: - '*' hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' readOnlyRootFilesystem: false{% if kube_version is version('v1.12.1', '>=') %} # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags allowedUnsafeSysctls: - '*'{% endif %}
|
