openstack-helm-infra/podsecuritypolicy/values.yaml
Andrii Ostapenko 731a6b4cfa Enable yamllint checks
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- key-duplicates
- new-line-at-end-of-file
- new-lines
- octal-values

with corresponding code adjustment.

Change-Id: I92d6aa20df82aa0fe198f8ccd535cfcaf613f43a
2020-05-29 19:49:05 +00:00

74 lines
2.5 KiB
YAML

# Copyright 2018, AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
conf:
# The keys under serviceaccounts define specific serviceaccounts, for
# which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
# to the clusterRole. The cluserRole names are defined by the value for
# each each key.
# Each clusterRoles uses a podSecurityPolicy with the same name, defined
# in the data section below.
# Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
# assigned to a pod, to assess if it is allowed to create the pod and its
# listed containers with the securityContexts defined in thier specs.
serviceaccounts: {}
# namespace-1:service-account-1: psp-all-permissive
# This defines creation of ClusterRoleBindings that configure
# default PodSecurityPolicies for the subjects below.
# `nil` avoids creation of a default binding for the subject.
#
defaults:
serviceaccounts: psp-default
authenticated: psp-default
unauthenticated: nil
data:
# Each of these corresponds to the `spec` of a PodSecurityPolicy object.
# Note that this default PodSecurityPolicy is incredibly permissive. It is
# intended to be tuned over time as a default, and to be overridden by
# operators as appropriate.
#
# A ClusterRole will be created for the PSP, with the same `metadata.name`.
#
# Note: you can define as many PSPs here as you need.
#
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
annotations: {} # Placeholder to add seccomp/apparmor default annotations
spec:
privileged: true
allowPrivilegeEscalation: true
hostNetwork: true
hostPID: true
hostIPC: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedCapabilities:
- '*'
hostPorts:
- min: 1
max: 65536
manifests:
podsecuritypolicy: true
...