1 {{- range $clusterName, $cluster := .Values.clusters }}
7 apiVersion: policy/v1beta1
8 kind: PodSecurityPolicy
12 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
15 allowPrivilegeEscalation: true
35 apiVersion: policy/v1beta1
36 kind: PodSecurityPolicy
40 # Optional: Allow the default AppArmor profile, requires setting the default.
41 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
42 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
43 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
46 # The moby default capability set, minus NET_RAW
61 # Allow all volume types except hostpath
69 # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
71 - 'persistentVolumeClaim'
73 # Allow all other non-hostpath volume types.
74 - 'awsElasticBlockStore'
87 - 'photonPersistentDisk'
97 readOnlyRootFilesystem: false
101 # This policy assumes the nodes are using AppArmor rather than SELinux.
102 # The PSP SELinux API cannot express the SELinux Pod Security Standards,
103 # so if using SELinux, you must choose a more restrictive default.
110 apiVersion: policy/v1beta1
111 kind: PodSecurityPolicy
115 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
116 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
117 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
120 # Required to prevent escalations to root.
121 allowPrivilegeEscalation: false
122 requiredDropCapabilities:
124 # Allow core volume types.
131 # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
133 - 'persistentVolumeClaim'
139 # Require the container to run without root privileges.
140 rule: 'MustRunAsNonRoot'
142 # This policy assumes the nodes are using AppArmor rather than SELinux.
147 # Forbid adding the root group.
153 # Forbid adding the root group.
156 readOnlyRootFilesystem: false
158 apiVersion: policy/v1beta1
159 kind: PodSecurityPolicy
163 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
166 allowPrivilegeEscalation: true
188 requiredDropCapabilities:
191 apiVersion: rbac.authorization.k8s.io/v1
196 addonmanager.kubernetes.io/mode: Reconcile
203 - podsecuritypolicies
207 apiVersion: rbac.authorization.k8s.io/v1
212 addonmanager.kubernetes.io/mode: Reconcile
219 - podsecuritypolicies
223 apiVersion: rbac.authorization.k8s.io/v1
228 addonmanager.kubernetes.io/mode: Reconcile
235 - podsecuritypolicies
239 apiVersion: rbac.authorization.k8s.io/v1
244 addonmanager.kubernetes.io/mode: Reconcile
251 - podsecuritypolicies
255 apiVersion: rbac.authorization.k8s.io/v1
258 name: psp:privileged:nodes
259 namespace: kube-system
261 addonmanager.kubernetes.io/mode: Reconcile
263 apiGroup: rbac.authorization.k8s.io
269 apiGroup: rbac.authorization.k8s.io
271 apiVersion: rbac.authorization.k8s.io/v1
274 name: psp:privileged:kube-system
275 namespace: kube-system
277 apiGroup: rbac.authorization.k8s.io
282 name: system:serviceaccounts:kube-system
283 apiGroup: rbac.authorization.k8s.io
285 apiVersion: rbac.authorization.k8s.io/v1
286 kind: ClusterRoleBinding
292 apiGroup: rbac.authorization.k8s.io
295 name: system:authenticated
296 apiGroup: rbac.authorization.k8s.io
299 creationTimestamp: null
300 name: {{ $clusterName }}-podsecurity-addon