diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index a95bf0f42de0ad9fe4412a1fc271cef1bfce9a9b..ab8d4ba6f4dd82aeb44f7cb70a2e949f9844f413 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -222,6 +222,12 @@ dynamic_kubelet_configuration_dir: "{{ kubelet_config_dir | default(default_kube
# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: false
+# Custom PodSecurityPolicySpec for restricted policy
+# podsecuritypolicy_restricted_spec: {}
+
+# Custom PodSecurityPolicySpec for privileged policy
+# podsecuritypolicy_privileged_spec: {}
+
# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
# kubeconfig_localhost: false
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
diff --git a/roles/kubernetes-apps/cluster_roles/defaults/main.yml b/roles/kubernetes-apps/cluster_roles/defaults/main.yml
index ed97d539c095cf1413af30cc23dea272095b97dd..d183c1b11a36c80e6da9e4a2292d8520ccf56241 100644
--- a/roles/kubernetes-apps/cluster_roles/defaults/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/defaults/main.yml
@@ -1 +1,60 @@
---
+
+podsecuritypolicy_restricted_spec:
+ privileged: false
+ allowPrivilegeEscalation: false
+ requiredDropCapabilities:
+ - ALL
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ - 'persistentVolumeClaim'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'MustRunAsNonRoot'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+ forbiddenSysctls:
+ - '*'
+
+podsecuritypolicy_privileged_spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ allowedCapabilities:
+ - '*'
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ readOnlyRootFilesystem: false
+ # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+ allowedUnsafeSysctls:
+ - '*'
diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
index 1e1e070e189c1a79748ce3df284ba8bbeefc99b8..9245424cdebbd0dc0312e190f32b153ce2b1bffa 100644
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -13,37 +13,7 @@ metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'MustRunAsNonRoot'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
- forbiddenSysctls:
- - '*'
+ {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
@@ -54,27 +24,4 @@ metadata:
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
- privileged: true
- allowPrivilegeEscalation: true
- allowedCapabilities:
- - '*'
- volumes:
- - '*'
- hostNetwork: true
- hostPorts:
- - min: 0
- max: 65535
- hostIPC: true
- hostPID: true
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
- readOnlyRootFilesystem: false
- # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
- allowedUnsafeSysctls:
- - '*'
+ {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}