github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e72c6c69bbaa9a75f415f09b1ca66c901b3dc3f7
kubernetes/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml
Tim Allclair 368afc6217 Add GCP addon PodSecurityPolicies & Bindings
2017-11-01 14:03:05 -07:00

39 lines
1.2 KiB
YAML
Raw Blame History

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: gce.unprivileged-addon
annotations:
kubernetes.io/description: 'This policy grants the minimum ammount of
privilege necessary to run non-privileged kube-system pods. This policy is
not intended for use outside of kube-system, and may include further
restrictions in the future.'
# TODO: Addons should use the default seccomp profile.
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
# 'runtime/default' is already the default, but must be filled in on the
# pod to pass admission.
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
labels:
kubernetes.io/cluster-service: 'true'
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'emptyDir'
- 'configMap'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
# TODO: The addons using this profile should not run as root.
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
Reference in New Issue View Git Blame Copy Permalink