+{{- range $clusterName, $cluster := .Values.clusters }}
+---
+apiVersion: v1
+data:
+ podsecurity.yaml: |
+ ---
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ name: privileged
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+ spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ allowedCapabilities:
+ - '*'
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ ---
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ name: baseline
+ annotations:
+ # Optional: Allow the default AppArmor profile, requires setting the default.
+ apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+ apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+ spec:
+ privileged: false
+ # The moby default capability set, minus NET_RAW
+ allowedCapabilities:
+ - 'CHOWN'
+ - 'DAC_OVERRIDE'
+ - 'FSETID'
+ - 'FOWNER'
+ - 'MKNOD'
+ - 'SETGID'
+ - 'SETUID'
+ - 'SETFCAP'
+ - 'SETPCAP'
+ - 'NET_BIND_SERVICE'
+ - 'SYS_CHROOT'
+ - 'KILL'
+ - 'AUDIT_WRITE'
+ # Allow all volume types except hostpath
+ volumes:
+ # 'core' volume types
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
+ - 'csi'
+ - 'persistentVolumeClaim'
+ - 'ephemeral'
+ # Allow all other non-hostpath volume types.
+ - 'awsElasticBlockStore'
+ - 'azureDisk'
+ - 'azureFile'
+ - 'cephFS'
+ - 'cinder'
+ - 'fc'
+ - 'flexVolume'
+ - 'flocker'
+ - 'gcePersistentDisk'
+ - 'gitRepo'
+ - 'glusterfs'
+ - 'iscsi'
+ - 'nfs'
+ - 'photonPersistentDisk'
+ - 'portworxVolume'
+ - 'quobyte'
+ - 'rbd'
+ - 'scaleIO'
+ - 'storageos'
+ - 'vsphereVolume'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ readOnlyRootFilesystem: false
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ # This policy assumes the nodes are using AppArmor rather than SELinux.
+ # The PSP SELinux API cannot express the SELinux Pod Security Standards,
+ # so if using SELinux, you must choose a more restrictive default.
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ ---
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ name: restricted
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
+ apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+ apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
+ spec:
+ privileged: false
+ # Required to prevent escalations to root.
+ allowPrivilegeEscalation: false
+ requiredDropCapabilities:
+ - ALL
+ # Allow core volume types.
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
+ - 'csi'
+ - 'persistentVolumeClaim'
+ - 'ephemeral'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ # Require the container to run without root privileges.
+ rule: 'MustRunAsNonRoot'
+ seLinux:
+ # This policy assumes the nodes are using AppArmor rather than SELinux.
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+ ---
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ name: icn
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+ spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ allowedCapabilities:
+ - 'NET_ADMIN'
+ - 'SYS_ADMIN'
+ - 'SYS_NICE'
+ - 'SYS_PTRACE'
+ requiredDropCapabilities:
+ - 'NET_RAW'
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: psp:privileged
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+ - apiGroups:
+ - policy
+ resourceNames:
+ - privileged
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: psp:baseline
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+ - apiGroups:
+ - policy
+ resourceNames:
+ - baseline
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: psp:icn
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+ - apiGroups:
+ - policy
+ resourceNames:
+ - icn
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ name: psp:restricted
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+ - apiGroups:
+ - policy
+ resourceNames:
+ - restricted
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: psp:privileged:nodes
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:privileged
+ subjects:
+ - kind: Group
+ name: system:nodes
+ apiGroup: rbac.authorization.k8s.io
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: psp:privileged:kube-system
+ namespace: kube-system
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:privileged
+ subjects:
+ - kind: Group
+ name: system:serviceaccounts:kube-system
+ apiGroup: rbac.authorization.k8s.io
+ ---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: psp:icn:any
+ roleRef:
+ kind: ClusterRole
+ name: psp:icn
+ apiGroup: rbac.authorization.k8s.io
+ subjects:
+ - kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+kind: ConfigMap
+metadata:
+ creationTimestamp: null
+ name: {{ $clusterName }}-podsecurity-addon
+{{- end }}