6 apiVersion: policy/v1beta1
7 kind: PodSecurityPolicy
11 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
14 allowPrivilegeEscalation: true
34 apiVersion: policy/v1beta1
35 kind: PodSecurityPolicy
39 # Optional: Allow the default AppArmor profile, requires setting the default.
40 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
41 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
42 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
45 # The moby default capability set, minus NET_RAW
60 # Allow all volume types except hostpath
68 # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
70 - 'persistentVolumeClaim'
72 # Allow all other non-hostpath volume types.
73 - 'awsElasticBlockStore'
86 - 'photonPersistentDisk'
96 readOnlyRootFilesystem: false
100 # This policy assumes the nodes are using AppArmor rather than SELinux.
101 # The PSP SELinux API cannot express the SELinux Pod Security Standards,
102 # so if using SELinux, you must choose a more restrictive default.
109 apiVersion: policy/v1beta1
110 kind: PodSecurityPolicy
114 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
115 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
116 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
119 # Required to prevent escalations to root.
120 allowPrivilegeEscalation: false
121 requiredDropCapabilities:
123 # Allow core volume types.
130 # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
132 - 'persistentVolumeClaim'
138 # Require the container to run without root privileges.
139 rule: 'MustRunAsNonRoot'
141 # This policy assumes the nodes are using AppArmor rather than SELinux.
146 # Forbid adding the root group.
152 # Forbid adding the root group.
155 readOnlyRootFilesystem: false
157 apiVersion: policy/v1beta1
158 kind: PodSecurityPolicy
162 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
165 allowPrivilegeEscalation: true
187 requiredDropCapabilities:
190 apiVersion: rbac.authorization.k8s.io/v1
195 addonmanager.kubernetes.io/mode: Reconcile
202 - podsecuritypolicies
206 apiVersion: rbac.authorization.k8s.io/v1
211 addonmanager.kubernetes.io/mode: Reconcile
218 - podsecuritypolicies
222 apiVersion: rbac.authorization.k8s.io/v1
227 addonmanager.kubernetes.io/mode: Reconcile
234 - podsecuritypolicies
238 apiVersion: rbac.authorization.k8s.io/v1
243 addonmanager.kubernetes.io/mode: Reconcile
250 - podsecuritypolicies
254 apiVersion: rbac.authorization.k8s.io/v1
257 name: psp:privileged:nodes
258 namespace: kube-system
260 addonmanager.kubernetes.io/mode: Reconcile
262 apiGroup: rbac.authorization.k8s.io
268 apiGroup: rbac.authorization.k8s.io
270 apiVersion: rbac.authorization.k8s.io/v1
273 name: psp:privileged:kube-system
274 namespace: kube-system
276 apiGroup: rbac.authorization.k8s.io
281 name: system:serviceaccounts:kube-system
282 apiGroup: rbac.authorization.k8s.io
284 apiVersion: rbac.authorization.k8s.io/v1
285 kind: ClusterRoleBinding
291 apiGroup: rbac.authorization.k8s.io
294 name: system:authenticated
295 apiGroup: rbac.authorization.k8s.io
298 creationTimestamp: null
299 name: {{ .Values.clusterName }}-podsecurity-addon