Kay Yan
2 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
9 additions and
54 deletions
-
roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
-
roles/network_plugin/flannel/templates/cni-flannel.yml.j2
|
|
|
@ -5,64 +5,11 @@ metadata: |
|
|
|
name: flannel |
|
|
|
namespace: kube-system |
|
|
|
--- |
|
|
|
apiVersion: policy/v1beta1 |
|
|
|
kind: PodSecurityPolicy |
|
|
|
metadata: |
|
|
|
name: psp.flannel.unprivileged |
|
|
|
annotations: |
|
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default |
|
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default |
|
|
|
{% if podsecuritypolicy_enabled and apparmor_enabled %} |
|
|
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default |
|
|
|
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default |
|
|
|
{% endif %} |
|
|
|
spec: |
|
|
|
privileged: false |
|
|
|
volumes: |
|
|
|
- configMap |
|
|
|
- secret |
|
|
|
- emptyDir |
|
|
|
- hostPath |
|
|
|
allowedHostPaths: |
|
|
|
- pathPrefix: "/etc/cni/net.d" |
|
|
|
- pathPrefix: "/etc/kube-flannel" |
|
|
|
- pathPrefix: "/run/flannel" |
|
|
|
readOnlyRootFilesystem: false |
|
|
|
# Users and groups |
|
|
|
runAsUser: |
|
|
|
rule: RunAsAny |
|
|
|
supplementalGroups: |
|
|
|
rule: RunAsAny |
|
|
|
fsGroup: |
|
|
|
rule: RunAsAny |
|
|
|
# Privilege Escalation |
|
|
|
allowPrivilegeEscalation: false |
|
|
|
defaultAllowPrivilegeEscalation: false |
|
|
|
# Capabilities |
|
|
|
allowedCapabilities: ['NET_ADMIN'] |
|
|
|
defaultAddCapabilities: [] |
|
|
|
requiredDropCapabilities: [] |
|
|
|
# Host namespaces |
|
|
|
hostPID: false |
|
|
|
hostIPC: false |
|
|
|
hostNetwork: true |
|
|
|
hostPorts: |
|
|
|
- min: 0 |
|
|
|
max: 65535 |
|
|
|
# SELinux |
|
|
|
seLinux: |
|
|
|
# SELinux is unused in CaaSP |
|
|
|
rule: 'RunAsAny' |
|
|
|
--- |
|
|
|
kind: ClusterRole |
|
|
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
|
|
metadata: |
|
|
|
name: flannel |
|
|
|
rules: |
|
|
|
- apiGroups: ['extensions'] |
|
|
|
resources: ['podsecuritypolicies'] |
|
|
|
verbs: ['use'] |
|
|
|
resourceNames: ['psp.flannel.unprivileged'] |
|
|
|
- apiGroups: |
|
|
|
- "" |
|
|
|
resources: |
|
|
|
|
|
|
|
@ -79,7 +79,7 @@ spec: |
|
|
|
securityContext: |
|
|
|
privileged: false |
|
|
|
capabilities: |
|
|
|
add: ["NET_ADMIN"] |
|
|
|
add: ["NET_ADMIN", "NET_RAW"] |
|
|
|
env: |
|
|
|
- name: POD_NAME |
|
|
|
valueFrom: |
|
|
|
@ -89,11 +89,15 @@ spec: |
|
|
|
valueFrom: |
|
|
|
fieldRef: |
|
|
|
fieldPath: metadata.namespace |
|
|
|
- name: EVENT_QUEUE_DEPTH |
|
|
|
value: "5000" |
|
|
|
volumeMounts: |
|
|
|
- name: run |
|
|
|
mountPath: /run/flannel |
|
|
|
- name: flannel-cfg |
|
|
|
mountPath: /etc/kube-flannel/ |
|
|
|
- name: xtables-lock |
|
|
|
mountPath: /run/xtables.lock |
|
|
|
affinity: |
|
|
|
nodeAffinity: |
|
|
|
requiredDuringSchedulingIgnoredDuringExecution: |
|
|
|
@ -146,6 +150,10 @@ spec: |
|
|
|
- name: flannel-cfg |
|
|
|
configMap: |
|
|
|
name: kube-flannel-cfg |
|
|
|
- name: xtables-lock |
|
|
|
hostPath: |
|
|
|
path: /run/xtables.lock |
|
|
|
type: FileOrCreate |
|
|
|
- name: cni-plugin |
|
|
|
hostPath: |
|
|
|
path: /opt/cni/bin |
|
|
|
|
