rancher-charts/packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch

--- charts-original/templates/podsecuritypolicy.yaml
+++ charts/templates/podsecuritypolicy.yaml
@@ -6,30 +6,15 @@
   namespace: {{ template "grafana.namespace" . }}
   labels:
     {{- include "grafana.labels" . | nindent 4 }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
-    {{- if .Values.rbac.pspUseAppArmor }}
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    {{- end }}
+{{- if .Values.rbac.pspAnnotations }}
+    annotations: {{ toYaml .Values.rbac.pspAnnotations | nindent 4 }}
+{{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
   requiredDropCapabilities:
-    # Default set from Docker, without DAC_OVERRIDE or CHOWN
-    - FOWNER
-    - FSETID
-    - KILL
-    - SETGID
-    - SETUID
-    - SETPCAP
-    - NET_BIND_SERVICE
-    - NET_RAW
-    - SYS_CHROOT
-    - MKNOD
-    - AUDIT_WRITE
-    - SETFCAP
+    # Default set from Docker, with DAC_OVERRIDE and CHOWN
+      - ALL
   volumes:
     - 'configMap'
     - 'emptyDir'
@@ -42,12 +27,20 @@
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
   fsGroup:
-    rule: 'RunAsAny'
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`--- charts-original/templates/podsecuritypolicy.yaml`
			`+++ charts/templates/podsecuritypolicy.yaml`
(dev-v2.6-archive) Rebase to bf7e1110a5ee9258190d0377fea319bb8e764e62 (partially cherry picked from commit b4787cfe7c9d5ff4367ce4f1125b8e3a3f41210c) 2021-06-26 00:16:30 +00:00			`@@ -6,30 +6,15 @@`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`namespace: {{ template "grafana.namespace" . }}`
			`labels:`
			`{{- include "grafana.labels" . \| nindent 4 }}`
			`- annotations:`
			`- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'`
			`- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'`
			`- {{- if .Values.rbac.pspUseAppArmor }}`
			`- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'`
			`- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'`
			`- {{- end }}`
			`+{{- if .Values.rbac.pspAnnotations }}`
			`+ annotations: {{ toYaml .Values.rbac.pspAnnotations \| nindent 4 }}`
			`+{{- end }}`
			`spec:`
			`privileged: false`
			`allowPrivilegeEscalation: false`
(dev-v2.6-archive) Rebase to bf7e1110a5ee9258190d0377fea319bb8e764e62 (partially cherry picked from commit b4787cfe7c9d5ff4367ce4f1125b8e3a3f41210c) 2021-06-26 00:16:30 +00:00			`requiredDropCapabilities:`
			`- # Default set from Docker, without DAC_OVERRIDE or CHOWN`
			`- - FOWNER`
			`- - FSETID`
			`- - KILL`
			`- - SETGID`
			`- - SETUID`
			`- - SETPCAP`
			`- - NET_BIND_SERVICE`
			`- - NET_RAW`
			`- - SYS_CHROOT`
			`- - MKNOD`
			`- - AUDIT_WRITE`
			`- - SETFCAP`
			`+ # Default set from Docker, with DAC_OVERRIDE and CHOWN`
			`+ - ALL`
			`volumes:`
			`- 'configMap'`
			`- 'emptyDir'`
			`@@ -42,12 +27,20 @@`
			`hostIPC: false`
			`hostPID: false`
			`runAsUser:`
			`- rule: 'RunAsAny'`
			`+ rule: 'MustRunAsNonRoot'`
			`seLinux:`
			`rule: 'RunAsAny'`
			`supplementalGroups:`
			`- rule: 'RunAsAny'`
			`+ rule: 'MustRunAs'`
			`+ ranges:`
			`+ # Forbid adding the root group.`
			`+ - min: 1`
			`+ max: 65535`
			`fsGroup:`
			`- rule: 'RunAsAny'`
			`+ rule: 'MustRunAs'`
			`+ ranges:`
			`+ # Forbid adding the root group.`
			`+ - min: 1`
			`+ max: 65535`
			`readOnlyRootFilesystem: false`
			`{{- end }}`