Created
November 22, 2019 20:21
-
-
Save tallclair/bfbea783d6c0aff2d481f74dce538079 to your computer and use it in GitHub Desktop.
Default PSP profile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: default | |
| annotations: | |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |
| spec: | |
| privileged: false | |
| # Maybe allow all volumes except hostPath | |
| volumes: | |
| - 'configMap' | |
| - 'emptyDir' | |
| - 'projected' | |
| - 'secret' | |
| - 'downwardAPI' | |
| # Assume that persistentVolumes set up by the cluster admin are safe to use. | |
| - 'persistentVolumeClaim' | |
| hostNetwork: false | |
| hostIPC: false | |
| hostPID: false | |
| seLinux: | |
| # This policy assumes the nodes are using AppArmor rather than SELinux. | |
| rule: 'RunAsAny' | |
| readOnlyRootFilesystem: false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment