andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-charts/charts/rancher-tracing/1.20.100/templates/psp.yaml

86 lines
1.9 KiB
YAML
Raw Normal View History

Add release-v2.5 charts
2021-06-18 20:16:00 +00:00
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "tracing.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "tracing.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups:
- policy
resourceNames:
- {{ include "tracing.fullname" . }}
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- emptyDir
- secret
- persistentVolumeClaim
{{- end }}