From b15e685a0b3548c6bd61f1c8d019ac186a65d146 Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan@users.noreply.github.com>
Date: Mon, 26 Nov 2018 09:13:51 +0100
Subject: [PATCH] sysctl related PodSecurityPolicy spec since 1.12 (#3743)

---
 roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
index a9d32a6e6..e6dd7d1a1 100644
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -43,6 +43,10 @@ spec:
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  forbiddenSysctls:
+  - '*'
+{% endif %}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -75,3 +79,8 @@ spec:
   fsGroup:
     rule: 'RunAsAny'
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+  - '*'
+{% endif %}