1 {{- if eq .Values.cni "flannel" }}
7 apiVersion: policy/v1beta1
8 kind: PodSecurityPolicy
10 name: psp.flannel.unprivileged
12 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
13 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
14 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
15 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
24 - pathPrefix: "/etc/cni/net.d"
25 - pathPrefix: "/etc/kube-flannel"
26 - pathPrefix: "/run/flannel"
27 readOnlyRootFilesystem: false
35 # Privilege Escalation
36 allowPrivilegeEscalation: false
37 defaultAllowPrivilegeEscalation: false
39 allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
40 defaultAddCapabilities: []
41 requiredDropCapabilities: []
51 # SELinux is unused in CaaSP
55 apiVersion: rbac.authorization.k8s.io/v1
59 - apiGroups: ['extensions']
60 resources: ['podsecuritypolicies']
62 resourceNames: ['psp.flannel.unprivileged']
83 kind: ClusterRoleBinding
84 apiVersion: rbac.authorization.k8s.io/v1
88 apiGroup: rbac.authorization.k8s.io
92 - kind: ServiceAccount
94 namespace: kube-system
100 namespace: kube-system
105 name: kube-flannel-cfg
106 namespace: kube-system
114 "cniVersion": "0.3.1",
120 "isDefaultGateway": true
133 "Network": "{{ .Values.podCidr }}",
142 name: kube-flannel-ds
143 namespace: kube-system
159 requiredDuringSchedulingIgnoredDuringExecution:
162 - key: kubernetes.io/os
167 priorityClassName: system-node-critical
171 serviceAccountName: flannel
173 - name: install-cni-plugin
174 #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le (dockerhub limitations may apply)
175 image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
181 - /opt/cni/bin/flannel
184 mountPath: /opt/cni/bin
186 #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
187 image: rancher/mirrored-flannelcni-flannel:v0.16.1
192 - /etc/kube-flannel/cni-conf.json
193 - /etc/cni/net.d/10-flannel.conflist
196 mountPath: /etc/cni/net.d
198 mountPath: /etc/kube-flannel/
201 #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
202 image: rancher/mirrored-flannelcni-flannel:v0.16.1
218 add: ["NET_ADMIN", "NET_RAW"]
223 fieldPath: metadata.name
224 - name: POD_NAMESPACE
227 fieldPath: metadata.namespace
230 mountPath: /run/flannel
232 mountPath: /etc/kube-flannel/
234 mountPath: /run/xtables.lock
247 name: kube-flannel-cfg
250 path: /run/xtables.lock
254 creationTimestamp: null
255 name: {{ .Values.clusterName }}-flannel-addon