Add podsecuritypolicy
Add the podsecuritypolicy chart and incorporate a default podsecuritypolicy. Change-Id: Iace1e00cc69d58c167a004392756db6b73d4cf31
This commit is contained in:
parent
7db4b789f2
commit
93d86e095b
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
schema: armada/ChartGroup/v1
|
||||||
|
metadata:
|
||||||
|
schema: metadata/Document/v1
|
||||||
|
name: podsecuritypolicy
|
||||||
|
layeringDefinition:
|
||||||
|
abstract: false
|
||||||
|
layer: global
|
||||||
|
storagePolicy: cleartext
|
||||||
|
data:
|
||||||
|
description: Cluster Pod Security Policy definitions
|
||||||
|
chart_group:
|
||||||
|
- podsecuritypolicy
|
@ -0,0 +1,73 @@
|
|||||||
|
---
|
||||||
|
schema: armada/Chart/v1
|
||||||
|
metadata:
|
||||||
|
schema: metadata/Document/v1
|
||||||
|
name: podsecuritypolicy
|
||||||
|
labels:
|
||||||
|
name: podsecuritypolicy-global
|
||||||
|
layeringDefinition:
|
||||||
|
abstract: false
|
||||||
|
layer: global
|
||||||
|
storagePolicy: cleartext
|
||||||
|
substitutions:
|
||||||
|
# Chart source
|
||||||
|
- src:
|
||||||
|
schema: pegleg/SoftwareVersions/v1
|
||||||
|
name: software-versions
|
||||||
|
path: .charts.osh_infra.podsecuritypolicy
|
||||||
|
dest:
|
||||||
|
path: .source
|
||||||
|
data:
|
||||||
|
chart_name: podsecuritypolicy
|
||||||
|
release: podsecuritypolicy
|
||||||
|
namespace: ucp
|
||||||
|
wait:
|
||||||
|
resources: []
|
||||||
|
install:
|
||||||
|
no_hooks: true
|
||||||
|
upgrade:
|
||||||
|
no_hooks: true
|
||||||
|
values:
|
||||||
|
conf:
|
||||||
|
# This defines creation of ClusterRoleBindings that configure
|
||||||
|
# default PodSecurityPolicies for the subjects below.
|
||||||
|
# `nil` avoids creation of a default binding for the subject.
|
||||||
|
#
|
||||||
|
defaults:
|
||||||
|
serviceaccounts: psp-default
|
||||||
|
authenticated: psp-default
|
||||||
|
unauthenticated: nil
|
||||||
|
data:
|
||||||
|
# Each of these corresponds to the `spec` of a PodSecurityPolicy object.
|
||||||
|
# Note that this default PodSecurityPolicy is incredibly permissive. It is
|
||||||
|
# intended to be tuned over time as a default, and to be overridden by
|
||||||
|
# operators as appropriate.
|
||||||
|
#
|
||||||
|
# A ClusterRole will be created for the PSP, with the same `metadata.name`.
|
||||||
|
#
|
||||||
|
# Note: you can define as many PSPs here as you need.
|
||||||
|
#
|
||||||
|
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
|
||||||
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
hostIPC: true
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- '*'
|
||||||
|
allowedCapabilities:
|
||||||
|
- '*'
|
||||||
|
hostPorts:
|
||||||
|
- min: 1
|
||||||
|
max: 65536
|
||||||
|
dependencies:
|
||||||
|
- osh-infra-helm-toolkit
|
||||||
|
...
|
@ -210,6 +210,11 @@ data:
|
|||||||
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
|
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
|
||||||
subpath: nagios
|
subpath: nagios
|
||||||
type: git
|
type: git
|
||||||
|
podsecuritypolicy:
|
||||||
|
location: https://git.openstack.org/openstack/openstack-helm-infra
|
||||||
|
reference: eda4b31502115d9966bf3464a7a9d9a0f0310826
|
||||||
|
subpath: podsecuritypolicy
|
||||||
|
type: git
|
||||||
prometheus:
|
prometheus:
|
||||||
location: https://git.openstack.org/openstack/openstack-helm-infra
|
location: https://git.openstack.org/openstack/openstack-helm-infra
|
||||||
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
|
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
|
||||||
|
@ -10,6 +10,7 @@ metadata:
|
|||||||
data:
|
data:
|
||||||
release_prefix: airship
|
release_prefix: airship
|
||||||
chart_groups:
|
chart_groups:
|
||||||
|
- podsecuritypolicy
|
||||||
- kubernetes-proxy
|
- kubernetes-proxy
|
||||||
- kubernetes-container-networking
|
- kubernetes-container-networking
|
||||||
- kubernetes-dns
|
- kubernetes-dns
|
||||||
|
@ -12,6 +12,7 @@ metadata:
|
|||||||
data:
|
data:
|
||||||
release_prefix: airship
|
release_prefix: airship
|
||||||
chart_groups:
|
chart_groups:
|
||||||
|
- podsecuritypolicy
|
||||||
- kubernetes-proxy
|
- kubernetes-proxy
|
||||||
- kubernetes-container-networking
|
- kubernetes-container-networking
|
||||||
- kubernetes-dns
|
- kubernetes-dns
|
||||||
|
Loading…
Reference in New Issue
Block a user