initial commit
All checks were successful
Build and Publish TechDocs / build-and-publish (push) Successful in 1m15s
All checks were successful
Build and Publish TechDocs / build-and-publish (push) Successful in 1m15s
Change-Id: I2e2564a72b6be9af536235fc3795fd788fd9257b
This commit is contained in:
Scaffolder
85
haproxy/templates/podsecuritypolicy.yaml
Normal file
85
haproxy/templates/podsecuritypolicy.yaml
Normal file
@@ -0,0 +1,85 @@
|
||||
{{/*
|
||||
Copyright 2020 HAProxy Technologies LLC
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
|
||||
{{- $useHostNetwork := .Values.daemonset.useHostNetwork -}}
|
||||
{{- $useHostPort := .Values.daemonset.useHostPort -}}
|
||||
{{- $hostPorts := .Values.daemonset.hostPorts -}}
|
||||
{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }}
|
||||
apiVersion: policy/v1
|
||||
{{- else }}
|
||||
apiVersion: policy/v1beta1
|
||||
{{- end }}
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "haproxy.fullname" . }}
|
||||
namespace: {{ include "haproxy.namespace" . }}
|
||||
labels:
|
||||
{{- include "haproxy.labels" . | nindent 4 }}
|
||||
{{- if .Values.podSecurityPolicy.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- else }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
defaultAllowPrivilegeEscalation: false
|
||||
fsGroup:
|
||||
rule: MustRunAs
|
||||
ranges:
|
||||
- max: 65535
|
||||
min: 1
|
||||
{{- if $useHostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if or $useHostPort $useHostNetwork }}
|
||||
hostPorts:
|
||||
{{- range $key, $value := .Values.containerPorts }}
|
||||
- min: {{ $value }}
|
||||
max: {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
privileged: false
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: MustRunAs
|
||||
ranges:
|
||||
- max: 65535
|
||||
min: 1
|
||||
volumes:
|
||||
- configMap
|
||||
- emptyDir
|
||||
- projected
|
||||
- secret
|
||||
{{- with .Values.podSecurityPolicy.allowedUnsafeSysctls }}
|
||||
allowedUnsafeSysctls:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user