specify runAsGroup, allow safe sysctls by default (#7399)

This commit is contained in:
rptaylor 2021-03-25 08:03:30 -07:00 committed by GitHub
parent 49abf6007a
commit 7dec8e5caa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: 'MustRunAs'
ranges:
@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
- min: 1
max: 65535
readOnlyRootFilesystem: false
forbiddenSysctls:
- '*'
podsecuritypolicy_privileged_spec:
privileged: true
@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup: