Work on PodSecurityPolicy
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
f668bb276c
commit
3bb04bb45c
10 changed files with 132 additions and 50 deletions
51
templates/traefik-psp.yml.j2
Normal file
51
templates/traefik-psp.yml.j2
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
|
||||
name: traefik-ingress-controller
|
||||
spec:
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
# Allow core volume types.
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- secret
|
||||
- emptyDir
|
||||
- projected
|
||||
# - persistentVolumeClaim
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
# Require the container to run without root privileges.
|
||||
rule: 'MustRunAsNonRoot'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
hostPorts:
|
||||
- max: 65535
|
||||
min: 1
|
||||
readOnlyRootFilesystem: true
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
hostPorts:
|
||||
- max: 65535
|
||||
min: 1
|
||||
# allowedUnsafeSysctls:
|
||||
# - kernel.net.ipv4.ip_unprivileged_port_start
|
||||
Loading…
Add table
Add a link
Reference in a new issue