Skip to content
Snippets Groups Projects
Unverified Commit 7dec8e5c authored by rptaylor's avatar rptaylor Committed by GitHub
Browse files

specify runAsGroup, allow safe sysctls by default (#7399)

parent 49abf600
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/kubernetes-apps/cluster_roles/defaults/main.yml
+ 7
2
View file @ 7dec8e5c
...@@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec: ...@@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
rule: 'MustRunAsNonRoot' rule: 'MustRunAsNonRoot'
seLinux: seLinux:
rule: 'RunAsAny' rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
supplementalGroups: supplementalGroups:
rule: 'MustRunAs' rule: 'MustRunAs'
ranges: ranges:
...@@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec: ...@@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
forbiddenSysctls:
- '*'
podsecuritypolicy_privileged_spec: podsecuritypolicy_privileged_spec:
privileged: true privileged: true
...@@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec: ...@@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
rule: 'RunAsAny' rule: 'RunAsAny'
seLinux: seLinux:
rule: 'RunAsAny' rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
supplementalGroups: supplementalGroups:
rule: 'RunAsAny' rule: 'RunAsAny'
fsGroup: fsGroup:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment