Removed PodSecurityPolicy from ingress-nginx (#9448)
This commit is contained in:
parent
c272421910
commit
d00508105b
2 changed files with 0 additions and 54 deletions
|
@ -23,8 +23,6 @@
|
||||||
- { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
|
- { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
|
||||||
- { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
|
- { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
|
||||||
- { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
|
- { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
|
||||||
ingress_nginx_templates_for_psp:
|
|
||||||
- { name: psp-ingress-nginx, file: psp-ingress-nginx.yml, type: podsecuritypolicy }
|
|
||||||
ingress_nginx_templates_for_webhook:
|
ingress_nginx_templates_for_webhook:
|
||||||
- { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
|
- { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
|
||||||
- { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
|
- { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
|
||||||
|
@ -34,11 +32,6 @@
|
||||||
- { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
|
- { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
|
||||||
- { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
|
- { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
|
||||||
|
|
||||||
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for PodSecurityPolicy
|
|
||||||
set_fact:
|
|
||||||
ingress_nginx_templates: "{{ ingress_nginx_templates_for_psp + ingress_nginx_templates }}"
|
|
||||||
when: podsecuritypolicy_enabled
|
|
||||||
|
|
||||||
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
|
- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
|
||||||
set_fact:
|
set_fact:
|
||||||
ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
|
ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: policy/v1beta1
|
|
||||||
kind: PodSecurityPolicy
|
|
||||||
metadata:
|
|
||||||
name: ingress-nginx
|
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
|
||||||
{% if apparmor_enabled %}
|
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
|
||||||
{% endif %}
|
|
||||||
labels:
|
|
||||||
addonmanager.kubernetes.io/mode: Reconcile
|
|
||||||
spec:
|
|
||||||
privileged: false
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
allowedCapabilities:
|
|
||||||
- NET_BIND_SERVICE
|
|
||||||
volumes:
|
|
||||||
- 'configMap'
|
|
||||||
- 'emptyDir'
|
|
||||||
- 'projected'
|
|
||||||
- 'secret'
|
|
||||||
- 'downwardAPI'
|
|
||||||
- 'persistentVolumeClaim'
|
|
||||||
hostNetwork: {{ ingress_nginx_host_network|bool }}
|
|
||||||
hostPorts:
|
|
||||||
- min: 0
|
|
||||||
max: 65535
|
|
||||||
hostIPC: false
|
|
||||||
hostPID: false
|
|
||||||
runAsUser:
|
|
||||||
rule: 'MustRunAsNonRoot'
|
|
||||||
seLinux:
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
supplementalGroups:
|
|
||||||
rule: 'MustRunAs'
|
|
||||||
ranges:
|
|
||||||
- min: 1
|
|
||||||
max: 65535
|
|
||||||
fsGroup:
|
|
||||||
rule: 'MustRunAs'
|
|
||||||
ranges:
|
|
||||||
- min: 1
|
|
||||||
max: 65535
|
|
||||||
readOnlyRootFilesystem: false
|
|
Loading…
Reference in a new issue