C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

specify runAsGroup, allow safe sysctls by default (#7399)

Browse source
This commit is contained in:
rptaylor 2021-03-25 08:03:30 -07:00 committed by GitHub
parent 49abf6007a
commit 7dec8e5caa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
roles/kubernetes-apps/cluster_roles/defaults/main.yml
View file

@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: 'MustRunAs'
ranges:
@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
- min: 1
max: 65535
readOnlyRootFilesystem: false
forbiddenSysctls:
- '*'
podsecuritypolicy_privileged_spec:
privileged: true
@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup: