kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

specify runAsGroup, allow safe sysctls by default (#7399)

pull/6919/head
rptaylor 2021-03-25 08:03:30 -07:00 committed by GitHub
parent 49abf6007a
commit 7dec8e5caa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
roles/kubernetes-apps/cluster_roles/defaults/main.yml
View File

@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: 'MustRunAs'
ranges:
@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
- min: 1
max: 65535
readOnlyRootFilesystem: false
forbiddenSysctls:
- '*'
podsecuritypolicy_privileged_spec:
privileged: true
@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup: