init: copied modules from lawndale-infra

kubernetes/flannel/pod_security.tf

@@ -0,0 +1,65 @@
+resource "kubernetes_pod_security_policy" "this" {
+  metadata {
+    name = "psp.flannel.unprivileged"
+    annotations = {
+      "seccomp.security.alpha.kubernetes.io/allowedProfileNames" : "docker/default",
+      "seccomp.security.alpha.kubernetes.io/defaultProfileName" : "docker/default",
+      "apparmor.security.beta.kubernetes.io/allowedProfileNames" : "runtime/default",
+      "apparmor.security.beta.kubernetes.io/defaultProfileName" : "runtime/default",
+    }
+  }
+  spec {
+    # Privilege Escalation
+    allow_privilege_escalation         = false
+    default_allow_privilege_escalation = false
+    privileged                         = false
+
+    volumes = [
+      "configMap",
+      "secret",
+      "emptyDir",
+      "hostPath",
+    ]
+    allowed_host_paths {
+      path_prefix = "/etc/cni/net.d"
+    }
+    allowed_host_paths {
+      path_prefix = "/etc/kube-flannel"
+    }
+    allowed_host_paths {
+      path_prefix = "/run/flannel"
+    }
+
+    read_only_root_filesystem = false
+
+    # Users and groups
+    run_as_user {
+      rule = "MustRunAsNonRoot"
+    }
+    supplemental_groups {
+      rule = "RunAsAny"
+    }
+    fs_group {
+      rule = "RunAsAny"
+    }
+
+    # Capabilities
+    allowed_capabilities       = ["NET_ADMIN", "NET_RAW"]
+    default_add_capabilities   = []
+    required_drop_capabilities = []
+
+    # Host namespaces
+    host_pid     = false
+    host_ipc     = false
+    host_network = true
+    host_ports {
+      min = 0
+      max = 65535
+    }
+    # SELinux
+    se_linux {
+      # SELinux is unused in CaaSP
+      rule = "RunAsAny"
+    }
+  }
+}