openstack-helm-infra/podsecuritypolicy/values.yaml
Pete Birley 2abf62ff4d OSH-Infra: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 20:50:59 +00:00

60 lines
1.9 KiB
YAML

# Copyright 2018, AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
conf:
# This defines creation of ClusterRoleBindings that configure
# default PodSecurityPolicies for the subjects below.
# `nil` avoids creation of a default binding for the subject.
#
defaults:
serviceaccounts: psp-default
authenticated: psp-default
unauthenticated: nil
data:
# Each of these corresponds to the `spec` of a PodSecurityPolicy object.
# Note that this default PodSecurityPolicy is incredibly permissive. It is
# intended to be tuned over time as a default, and to be overridden by
# operators as appropriate.
#
# A ClusterRole will be created for the PSP, with the same `metadata.name`.
#
# Note: you can define as many PSPs here as you need.
#
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
annotations: {} # Placeholder to add seccomp/apparmor default annotations
spec:
privileged: true
allowPrivilegeEscalation: true
hostNetwork: true
hostPID: true
hostIPC: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedCapabilities:
- '*'
hostPorts:
- min: 1
max: 65536
manifests:
podsecuritypolicy: true