1 {{- if eq .Values.cni "flannel" }}
7 apiVersion: policy/v1beta1
8 kind: PodSecurityPolicy
10 name: psp.flannel.unprivileged
12 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
13 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
14 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
15 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
24 - pathPrefix: "/etc/cni/net.d"
25 - pathPrefix: "/etc/kube-flannel"
26 - pathPrefix: "/run/flannel"
27 readOnlyRootFilesystem: false
35 # Privilege Escalation
36 allowPrivilegeEscalation: false
37 defaultAllowPrivilegeEscalation: false
39 allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
40 defaultAddCapabilities: []
41 requiredDropCapabilities: []
51 # SELinux is unused in CaaSP
55 apiVersion: rbac.authorization.k8s.io/v1
59 - apiGroups: ['extensions']
60 resources: ['podsecuritypolicies']
62 resourceNames: ['psp.flannel.unprivileged']
83 kind: ClusterRoleBinding
84 apiVersion: rbac.authorization.k8s.io/v1
88 apiGroup: rbac.authorization.k8s.io
92 - kind: ServiceAccount
94 namespace: kube-system
100 namespace: kube-system
105 name: kube-flannel-cfg
106 namespace: kube-system
114 "cniVersion": "0.3.1",
120 "isDefaultGateway": true
133 "Network": "{{ .Values.podCidr }}",
142 name: kube-flannel-ds
143 namespace: kube-system
159 requiredDuringSchedulingIgnoredDuringExecution:
162 - key: kubernetes.io/os
167 priorityClassName: system-node-critical
171 serviceAccountName: flannel
173 - name: install-cni-plugin
174 image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
180 - /opt/cni/bin/flannel
183 mountPath: /opt/cni/bin
185 image: quay.io/coreos/flannel:v0.15.0
190 - /etc/kube-flannel/cni-conf.json
191 - /etc/cni/net.d/10-flannel.conflist
194 mountPath: /etc/cni/net.d
196 mountPath: /etc/kube-flannel/
199 image: quay.io/coreos/flannel:v0.15.0
215 add: ["NET_ADMIN", "NET_RAW"]
220 fieldPath: metadata.name
221 - name: POD_NAMESPACE
224 fieldPath: metadata.namespace
227 mountPath: /run/flannel
229 mountPath: /etc/kube-flannel/
242 name: kube-flannel-cfg
245 creationTimestamp: null
246 name: {{ .Values.clusterName }}-flannel-addon