richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

sysctl related PodSecurityPolicy spec since 1.12 (#3743)

pull/3761/head
Erwan Miran 6 years ago
committed by k8s-ci-robot
parent
c5e425b02b
commit
b15e685a0b
1 changed files with 9 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2

9
roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
View File

@ -43,6 +43,10 @@ spec:
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
forbiddenSysctls:
- '*'
{% endif %}
--- ---
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
@ -75,3 +79,8 @@ spec:
fsGroup: fsGroup:
rule: 'RunAsAny' rule: 'RunAsAny'
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
{% endif %}
Write Preview
Loading…
Cancel
Save