From 7dec8e5caa70c4e2b55288e1e20fe7202b3a1ba2 Mon Sep 17 00:00:00 2001
From: rptaylor <1686627+rptaylor@users.noreply.github.com>
Date: Thu, 25 Mar 2021 08:03:30 -0700
Subject: [PATCH] specify runAsGroup, allow safe sysctls by default (#7399)

---
 roles/kubernetes-apps/cluster_roles/defaults/main.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/roles/kubernetes-apps/cluster_roles/defaults/main.yml b/roles/kubernetes-apps/cluster_roles/defaults/main.yml
index d183c1b11..f26583da3 100644
--- a/roles/kubernetes-apps/cluster_roles/defaults/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/defaults/main.yml
@@ -19,6 +19,11 @@ podsecuritypolicy_restricted_spec:
     rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
+  runAsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:
@@ -30,8 +35,6 @@ podsecuritypolicy_restricted_spec:
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
-  forbiddenSysctls:
-    - '*'
 
 podsecuritypolicy_privileged_spec:
   privileged: true
@@ -50,6 +53,8 @@ podsecuritypolicy_privileged_spec:
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'
+  runAsGroup:
+    rule: 'RunAsAny'
   supplementalGroups:
     rule: 'RunAsAny'
   fsGroup: