mirror of https://git.rancher.io/charts
84 lines
2.2 KiB
YAML
84 lines
2.2 KiB
YAML
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
|
|
{{- if .Values.global.rbac.pspEnabled }}
|
|
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: epinio-server-psp
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
|
|
app.kubernetes.io/part-of: epinio-server
|
|
app: epinio-server
|
|
{{- if .Values.global.rbac.pspAnnotations }}
|
|
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
privileged: false
|
|
hostNetwork: false
|
|
hostIPC: false
|
|
hostPID: false
|
|
runAsUser:
|
|
# Permits the container to run with root privileges as well.
|
|
rule: 'RunAsAny'
|
|
seLinux:
|
|
# This policy assumes the nodes are using AppArmor rather than SELinux.
|
|
rule: 'RunAsAny'
|
|
supplementalGroups:
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
# Forbid adding the root group.
|
|
- min: 0
|
|
max: 65535
|
|
fsGroup:
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
# Forbid adding the root group.
|
|
- min: 0
|
|
max: 65535
|
|
readOnlyRootFilesystem: false
|
|
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: epinio-server-psp
|
|
labels:
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
|
|
app.kubernetes.io/part-of: epinio-server
|
|
app: epinio-server
|
|
rules:
|
|
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
|
|
- apiGroups: ['policy']
|
|
{{- else }}
|
|
- apiGroups: ['extensions']
|
|
{{- end }}
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames:
|
|
- epinio-server-psp
|
|
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: epinio-server-psp
|
|
labels:
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
|
|
app.kubernetes.io/part-of: epinio-server
|
|
app: epinio-server
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: epinio-server-psp
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: epinio-server
|
|
namespace: {{ .Release.Namespace }}
|
|
|
|
{{- end }}
|
|
{{- end -}}
|