2abf62ff4d
This PS adds emptydirs backing the /tmp directory in pods, which is required in most cases for full operation when using a read only filesystem backing the container. Additionally some yaml indent issues are resolved. Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad Signed-off-by: Pete Birley <pete@port.direct>
60 lines
1.9 KiB
YAML
60 lines
1.9 KiB
YAML
# Copyright 2018, AT&T Intellectual Property
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
conf:
|
|
# This defines creation of ClusterRoleBindings that configure
|
|
# default PodSecurityPolicies for the subjects below.
|
|
# `nil` avoids creation of a default binding for the subject.
|
|
#
|
|
defaults:
|
|
serviceaccounts: psp-default
|
|
authenticated: psp-default
|
|
unauthenticated: nil
|
|
|
|
data:
|
|
# Each of these corresponds to the `spec` of a PodSecurityPolicy object.
|
|
# Note that this default PodSecurityPolicy is incredibly permissive. It is
|
|
# intended to be tuned over time as a default, and to be overridden by
|
|
# operators as appropriate.
|
|
#
|
|
# A ClusterRole will be created for the PSP, with the same `metadata.name`.
|
|
#
|
|
# Note: you can define as many PSPs here as you need.
|
|
#
|
|
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
|
|
annotations: {} # Placeholder to add seccomp/apparmor default annotations
|
|
spec:
|
|
privileged: true
|
|
allowPrivilegeEscalation: true
|
|
hostNetwork: true
|
|
hostPID: true
|
|
hostIPC: true
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
allowedCapabilities:
|
|
- '*'
|
|
hostPorts:
|
|
- min: 1
|
|
max: 65536
|
|
manifests:
|
|
podsecuritypolicy: true
|