sysctl related PodSecurityPolicy spec since 1.12 (#3743)

b15e685a · Erwan Miran · k8s-ci-robot · c5e425b0 · b15e685a
Commit b15e685a authored 6 years ago by Erwan Miran Committed by k8s-ci-robot 6 years ago
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -43,6 +43,10 @@ spec:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  forbiddenSysctls:
+  - '*'
+{% endif %}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -75,3 +79,8 @@ spec:
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+  - '*'
+{% endif %}