sysctl related PodSecurityPolicy spec since 1.12 (#3743)

5 years ago · b15e685a0b
1 changed files with 9 additions and 0 deletions
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@ -43,6 +43,10 @@ spec:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  forbiddenSysctls:
+  - '*'
+{% endif %}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@ -75,3 +79,8 @@ spec:
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+  - '*'
+{% endif %}