2 apiVersion: extensions/v1beta1
3 kind: PodSecurityPolicy
5 name: psp.flannel.unprivileged
7 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
8 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
9 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
10 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
19 - pathPrefix: "/etc/cni/net.d"
20 - pathPrefix: "/etc/kube-flannel"
21 - pathPrefix: "/run/flannel"
22 readOnlyRootFilesystem: false
30 # Privilege Escalation
31 allowPrivilegeEscalation: false
32 defaultAllowPrivilegeEscalation: false
34 allowedCapabilities: ['NET_ADMIN']
35 defaultAddCapabilities: []
36 requiredDropCapabilities: []
46 # SELinux is unsed in CaaSP
50 apiVersion: rbac.authorization.k8s.io/v1beta1
54 - apiGroups: ['extensions']
55 resources: ['podsecuritypolicies']
57 resourceNames: ['psp.flannel.unprivileged']
78 kind: ClusterRoleBinding
79 apiVersion: rbac.authorization.k8s.io/v1beta1
83 apiGroup: rbac.authorization.k8s.io
87 - kind: ServiceAccount
89 namespace: kube-system
95 namespace: kube-system
100 name: kube-flannel-cfg
101 namespace: kube-system
114 "isDefaultGateway": true
127 "Network": "10.244.0.0/16",
133 apiVersion: extensions/v1beta1
136 name: kube-flannel-ds-amd64
137 namespace: kube-system
150 beta.kubernetes.io/arch: amd64
154 serviceAccountName: flannel
157 image: quay.io/coreos/flannel:v0.11.0-amd64
162 - /etc/kube-flannel/cni-conf.json
163 - /etc/cni/net.d/10-flannel.conflist
166 mountPath: /etc/cni/net.d
168 mountPath: /etc/kube-flannel/
171 image: quay.io/coreos/flannel:v0.11.0-amd64
192 fieldPath: metadata.name
193 - name: POD_NAMESPACE
196 fieldPath: metadata.namespace
199 mountPath: /run/flannel
201 mountPath: /etc/kube-flannel/
211 name: kube-flannel-cfg
213 apiVersion: extensions/v1beta1
216 name: kube-flannel-ds-arm64
217 namespace: kube-system
230 beta.kubernetes.io/arch: arm64
234 serviceAccountName: flannel
237 image: quay.io/coreos/flannel:v0.11.0-arm64
242 - /etc/kube-flannel/cni-conf.json
243 - /etc/cni/net.d/10-flannel.conflist
246 mountPath: /etc/cni/net.d
248 mountPath: /etc/kube-flannel/
251 image: quay.io/coreos/flannel:v0.11.0-arm64
272 fieldPath: metadata.name
273 - name: POD_NAMESPACE
276 fieldPath: metadata.namespace
279 mountPath: /run/flannel
281 mountPath: /etc/kube-flannel/
291 name: kube-flannel-cfg
293 apiVersion: extensions/v1beta1
296 name: kube-flannel-ds-arm
297 namespace: kube-system
310 beta.kubernetes.io/arch: arm
314 serviceAccountName: flannel
317 image: quay.io/coreos/flannel:v0.11.0-arm
322 - /etc/kube-flannel/cni-conf.json
323 - /etc/cni/net.d/10-flannel.conflist
326 mountPath: /etc/cni/net.d
328 mountPath: /etc/kube-flannel/
331 image: quay.io/coreos/flannel:v0.11.0-arm
352 fieldPath: metadata.name
353 - name: POD_NAMESPACE
356 fieldPath: metadata.namespace
359 mountPath: /run/flannel
361 mountPath: /etc/kube-flannel/
371 name: kube-flannel-cfg
373 apiVersion: extensions/v1beta1
376 name: kube-flannel-ds-ppc64le
377 namespace: kube-system
390 beta.kubernetes.io/arch: ppc64le
394 serviceAccountName: flannel
397 image: quay.io/coreos/flannel:v0.11.0-ppc64le
402 - /etc/kube-flannel/cni-conf.json
403 - /etc/cni/net.d/10-flannel.conflist
406 mountPath: /etc/cni/net.d
408 mountPath: /etc/kube-flannel/
411 image: quay.io/coreos/flannel:v0.11.0-ppc64le
432 fieldPath: metadata.name
433 - name: POD_NAMESPACE
436 fieldPath: metadata.namespace
439 mountPath: /run/flannel
441 mountPath: /etc/kube-flannel/
451 name: kube-flannel-cfg
453 apiVersion: extensions/v1beta1
456 name: kube-flannel-ds-s390x
457 namespace: kube-system
470 beta.kubernetes.io/arch: s390x
474 serviceAccountName: flannel
477 image: quay.io/coreos/flannel:v0.11.0-s390x
482 - /etc/kube-flannel/cni-conf.json
483 - /etc/cni/net.d/10-flannel.conflist
486 mountPath: /etc/cni/net.d
488 mountPath: /etc/kube-flannel/
491 image: quay.io/coreos/flannel:v0.11.0-s390x
512 fieldPath: metadata.name
513 - name: POD_NAMESPACE
516 fieldPath: metadata.namespace
519 mountPath: /run/flannel
521 mountPath: /etc/kube-flannel/
531 name: kube-flannel-cfg