rancher-charts/packages/rancher-istio/1.12/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml

{{- if .Values.global.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "kiali-server.fullname" . }}-psp
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kiali-server.fullname" . }}-psp
subjects:
  - kind: ServiceAccount
    name: kiali
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "kiali-server.fullname" . }}-psp
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
  - policy
  resourceNames:
  - {{ include "kiali-server.fullname" . }}-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ include "kiali-server.fullname" . }}-psp
  namespace: {{ .Release.Namespace }}
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  fsGroup:
      ranges:
        - max: 65535
          min: 1
      rule: MustRunAs
  requiredDropCapabilities:
  - ALL
  runAsUser:
      rule: MustRunAsNonRoot
  runAsGroup:
      rule: MustRunAs
      ranges:
      - min: 1
        max: 65535
  seLinux:
      rule: RunAsAny
  supplementalGroups:
      ranges:
        - max: 65535
          min: 1
      rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim
{{- end }}
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`{{- if .Values.global.rbac.pspEnabled }}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: {{ include "kiali-server.fullname" . }}-psp`
			`namespace: {{ .Release.Namespace }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: {{ include "kiali-server.fullname" . }}-psp`
			`subjects:`
			`- kind: ServiceAccount`
			`name: kiali`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: {{ include "kiali-server.fullname" . }}-psp`
			`namespace: {{ .Release.Namespace }}`
			`rules:`
			`- apiGroups:`
			`- policy`
			`resourceNames:`
			`- {{ include "kiali-server.fullname" . }}-psp`
			`resources:`
			`- podsecuritypolicies`
			`verbs:`
			`- use`
			`---`
			`apiVersion: policy/v1beta1`
			`kind: PodSecurityPolicy`
			`metadata:`
			`name: {{ include "kiali-server.fullname" . }}-psp`
			`namespace: {{ .Release.Namespace }}`
			`spec:`
			`allowPrivilegeEscalation: false`
			`forbiddenSysctls:`
			`- '*'`
			`fsGroup:`
			`ranges:`
			`- max: 65535`
			`min: 1`
			`rule: MustRunAs`
			`requiredDropCapabilities:`
			`- ALL`
			`runAsUser:`
			`rule: MustRunAsNonRoot`
			`runAsGroup:`
			`rule: MustRunAs`
			`ranges:`
			`- min: 1`
			`max: 65535`
			`seLinux:`
			`rule: RunAsAny`
			`supplementalGroups:`
			`ranges:`
			`- max: 65535`
			`min: 1`
			`rule: MustRunAs`
			`volumes:`
			`- configMap`
			`- emptyDir`
			`- projected`
			`- secret`
			`- downwardAPI`
			`- persistentVolumeClaim`
			`{{- end }}`