1 {{- range $clusterName, $cluster := .Values.clusters }}
2 {{- if eq $cluster.cni "flannel" }}
8 apiVersion: policy/v1beta1
9 kind: PodSecurityPolicy
11 name: psp.flannel.unprivileged
13 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
14 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
15 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
16 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
25 - pathPrefix: "/etc/cni/net.d"
26 - pathPrefix: "/etc/kube-flannel"
27 - pathPrefix: "/run/flannel"
28 readOnlyRootFilesystem: false
36 # Privilege Escalation
37 allowPrivilegeEscalation: false
38 defaultAllowPrivilegeEscalation: false
40 allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
41 defaultAddCapabilities: []
42 requiredDropCapabilities: []
52 # SELinux is unused in CaaSP
56 apiVersion: rbac.authorization.k8s.io/v1
60 - apiGroups: ['extensions']
61 resources: ['podsecuritypolicies']
63 resourceNames: ['psp.flannel.unprivileged']
84 kind: ClusterRoleBinding
85 apiVersion: rbac.authorization.k8s.io/v1
89 apiGroup: rbac.authorization.k8s.io
93 - kind: ServiceAccount
95 namespace: kube-system
101 namespace: kube-system
106 name: kube-flannel-cfg
107 namespace: kube-system
115 "cniVersion": "0.3.1",
121 "isDefaultGateway": true
134 "Network": "{{ $cluster.podCidr }}",
143 name: kube-flannel-ds
144 namespace: kube-system
160 requiredDuringSchedulingIgnoredDuringExecution:
163 - key: kubernetes.io/os
168 priorityClassName: system-node-critical
172 serviceAccountName: flannel
174 - name: install-cni-plugin
175 image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
181 - /opt/cni/bin/flannel
184 mountPath: /opt/cni/bin
186 image: quay.io/coreos/flannel:v0.15.0
191 - /etc/kube-flannel/cni-conf.json
192 - /etc/cni/net.d/10-flannel.conflist
195 mountPath: /etc/cni/net.d
197 mountPath: /etc/kube-flannel/
200 image: quay.io/coreos/flannel:v0.15.0
216 add: ["NET_ADMIN", "NET_RAW"]
221 fieldPath: metadata.name
222 - name: POD_NAMESPACE
225 fieldPath: metadata.namespace
228 mountPath: /run/flannel
230 mountPath: /etc/kube-flannel/
243 name: kube-flannel-cfg
246 creationTimestamp: null
247 name: {{ $clusterName }}-flannel-addon