# Copyright 2018, AT&T Intellectual Property # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. conf: # This defines creation of ClusterRoleBindings that configure # default PodSecurityPolicies for the subjects below. # `nil` avoids creation of a default binding for the subject. # defaults: serviceaccounts: psp-default authenticated: psp-default unauthenticated: nil data: # Each of these corresponds to the `spec` of a PodSecurityPolicy object. # Note that this default PodSecurityPolicy is incredibly permissive. It is # intended to be tuned over time as a default, and to be overridden by # operators as appropriate. # # A ClusterRole will be created for the PSP, with the same `metadata.name`. # # Note: you can define as many PSPs here as you need. # psp-default: # This will be the `metadata.name` of the PodSecurityPolicy annotations: {} # Placeholder to add seccomp/apparmor default annotations spec: privileged: true allowPrivilegeEscalation: true hostNetwork: true hostPID: true hostIPC: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' allowedCapabilities: - '*' hostPorts: - min: 1 max: 65536 manifests: podsecuritypolicy: true