kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sysctl related PodSecurityPolicy spec since 1.12 (#3743)

pull/3761/head
Erwan Miran 2018-11-26 09:13:51 +01:00 committed by k8s-ci-robot
parent c5e425b02b
commit b15e685a0b
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
View File

@ -43,6 +43,10 @@ spec:
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
forbiddenSysctls:
- '*'
{% endif %}
--- ---
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
@ -75,3 +79,8 @@ spec:
fsGroup: fsGroup:
rule: 'RunAsAny' rule: 'RunAsAny'
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
{% endif %}