added pod security policy
Signed-off-by: janeczku <jan@rancher.com>
This commit is contained in:
janeczku
Sheng Yang
parent
29f31e43f7
commit
f887ad1fb4
@ -338,3 +338,9 @@ WARNING: DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES.'
|
||||
max: 32767
|
||||
show_if: "service.ui.type=NodePort||service.ui.type=LoadBalancer"
|
||||
label: UI Service NodePort number
|
||||
- variable: podSecurityPolicy.enabled
|
||||
default: "true"
|
||||
description: "Configure a custom pod security policy for the Longhorn namespace."
|
||||
label: Pod Security Policy
|
||||
type: boolean
|
||||
group: "Other Settings"
|
||||
66
chart/templates/psp.yaml
Normal file
66
chart/templates/psp.yaml
Normal file
@ -0,0 +1,66 @@
|
||||
{{- if .Values.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: longhorn-psp
|
||||
labels: {{- include "longhorn.labels" . | nindent 4 }}
|
||||
spec:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
requiredDropCapabilities:
|
||||
- NET_RAW
|
||||
allowedCapabilities:
|
||||
- SYS_ADMIN
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- secret
|
||||
- projected
|
||||
- hostPath
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: longhorn-psp-role
|
||||
labels: {{- include "longhorn.labels" . | nindent 4 }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
resourceNames:
|
||||
- longhorn-psp
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: longhorn-psp-binding
|
||||
labels: {{- include "longhorn.labels" . | nindent 4 }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: longhorn-psp-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: longhorn-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
@ -118,3 +118,7 @@ ingress:
|
||||
# - name: longhorn.local-tls
|
||||
# key:
|
||||
# certificate:
|
||||
|
||||
# Setup pod security policy in the Longhorn namespace to allow privileged pods
|
||||
podSecurityPolicy:
|
||||
enabled: true
|
||||
|
||||
Loading…
Reference in New Issue
Block a user