specify runAsGroup, allow safe sysctls by default (#7399)
parent
49abf6007a
commit
7dec8e5caa
|
@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
|
||||||
rule: 'MustRunAsNonRoot'
|
rule: 'MustRunAsNonRoot'
|
||||||
seLinux:
|
seLinux:
|
||||||
rule: 'RunAsAny'
|
rule: 'RunAsAny'
|
||||||
|
runAsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
supplementalGroups:
|
supplementalGroups:
|
||||||
rule: 'MustRunAs'
|
rule: 'MustRunAs'
|
||||||
ranges:
|
ranges:
|
||||||
|
@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
|
||||||
- min: 1
|
- min: 1
|
||||||
max: 65535
|
max: 65535
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
forbiddenSysctls:
|
|
||||||
- '*'
|
|
||||||
|
|
||||||
podsecuritypolicy_privileged_spec:
|
podsecuritypolicy_privileged_spec:
|
||||||
privileged: true
|
privileged: true
|
||||||
|
@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
|
||||||
rule: 'RunAsAny'
|
rule: 'RunAsAny'
|
||||||
seLinux:
|
seLinux:
|
||||||
rule: 'RunAsAny'
|
rule: 'RunAsAny'
|
||||||
|
runAsGroup:
|
||||||
|
rule: 'RunAsAny'
|
||||||
supplementalGroups:
|
supplementalGroups:
|
||||||
rule: 'RunAsAny'
|
rule: 'RunAsAny'
|
||||||
fsGroup:
|
fsGroup:
|
||||||
|
|
Loading…
Reference in New Issue