kubespray/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2

57 lines
1.2 KiB
Plaintext
Raw Normal View History

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: registry-proxy
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- SETPCAP
- MKNOD
- AUDIT_WRITE
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- SYS_CHROOT
- SETFCAP
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: true
hostPorts:
- min: {{ registry_port }}
max: {{ registry_port }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false