sysctl related PodSecurityPolicy spec since 1.12 (#3743)

This commit is contained in:
Erwan Miran 2018-11-26 09:13:51 +01:00 committed by k8s-ci-robot
parent c5e425b02b
commit b15e685a0b

View file

@ -43,6 +43,10 @@ spec:
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
forbiddenSysctls:
- '*'
{% endif %}
--- ---
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
@ -75,3 +79,8 @@ spec:
fsGroup: fsGroup:
rule: 'RunAsAny' rule: 'RunAsAny'
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{% if kube_version is version('v1.12.1', '>=') %}
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
{% endif %}