66 lines
1.5 KiB
HCL
66 lines
1.5 KiB
HCL
resource "kubernetes_pod_security_policy" "this" {
|
|
metadata {
|
|
name = "psp.flannel.unprivileged"
|
|
annotations = {
|
|
"seccomp.security.alpha.kubernetes.io/allowedProfileNames" : "docker/default",
|
|
"seccomp.security.alpha.kubernetes.io/defaultProfileName" : "docker/default",
|
|
"apparmor.security.beta.kubernetes.io/allowedProfileNames" : "runtime/default",
|
|
"apparmor.security.beta.kubernetes.io/defaultProfileName" : "runtime/default",
|
|
}
|
|
}
|
|
spec {
|
|
# Privilege Escalation
|
|
allow_privilege_escalation = false
|
|
default_allow_privilege_escalation = false
|
|
privileged = false
|
|
|
|
volumes = [
|
|
"configMap",
|
|
"secret",
|
|
"emptyDir",
|
|
"hostPath",
|
|
]
|
|
allowed_host_paths {
|
|
path_prefix = "/etc/cni/net.d"
|
|
}
|
|
allowed_host_paths {
|
|
path_prefix = "/etc/kube-flannel"
|
|
}
|
|
allowed_host_paths {
|
|
path_prefix = "/run/flannel"
|
|
}
|
|
|
|
read_only_root_filesystem = false
|
|
|
|
# Users and groups
|
|
run_as_user {
|
|
rule = "MustRunAsNonRoot"
|
|
}
|
|
supplemental_groups {
|
|
rule = "RunAsAny"
|
|
}
|
|
fs_group {
|
|
rule = "RunAsAny"
|
|
}
|
|
|
|
# Capabilities
|
|
allowed_capabilities = ["NET_ADMIN", "NET_RAW"]
|
|
default_add_capabilities = []
|
|
required_drop_capabilities = []
|
|
|
|
# Host namespaces
|
|
host_pid = false
|
|
host_ipc = false
|
|
host_network = true
|
|
host_ports {
|
|
min = 0
|
|
max = 65535
|
|
}
|
|
# SELinux
|
|
se_linux {
|
|
# SELinux is unused in CaaSP
|
|
rule = "RunAsAny"
|
|
}
|
|
}
|
|
}
|