Home Explore Help
Sign In
cecf
/
deploy
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
deploy
/
ingress-nginx
/
templates
/
controller-psp.yaml

controller-psp.yaml 2.5 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
    2. 

  2. {{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
    3. 

  3. apiVersion: policy/v1beta1
    4. 

  4. kind: PodSecurityPolicy
    5. 

  5. metadata:
    6. 

  6.   name: {{ include "ingress-nginx.fullname" . }}
    7. 

  7.   labels:
    8. 

  8.     {{- include "ingress-nginx.labels" . | nindent 4 }}
    9. 

  9.     app.kubernetes.io/component: controller
    10. 

  10.     {{- with .Values.controller.labels }}
    11. 

  11.     {{- toYaml . | nindent 4 }}
    12. 

  12.     {{- end }}
    13. 

  13. spec:
    14. 

  14.   allowedCapabilities:
    15. 

  15.     - NET_BIND_SERVICE
    16. 

  16.   {{- if .Values.controller.image.chroot }}
    17. 

  17.     - SYS_CHROOT
    18. 

  18.   {{- end }}
    19. 

  19. {{- if .Values.controller.sysctls }}
    20. 

  20.   allowedUnsafeSysctls:
    21. 

  21.   {{- range $sysctl, $value := .Values.controller.sysctls }}
    22. 

  22.   - {{ $sysctl }}
    23. 

  23.   {{- end }}
    24. 

  24. {{- end }}
    25. 

  25.   privileged: false
    26. 

  26.   allowPrivilegeEscalation: true
    27. 

  27.   # Allow core volume types.
    28. 

  28.   volumes:
    29. 

  29.     - 'configMap'
    30. 

  30.     - 'emptyDir'
    31. 

  31.     #- 'projected'
    32. 

  32.     - 'secret'
    33. 

  33.     #- 'downwardAPI'
    34. 

  34. {{- if .Values.controller.hostNetwork }}
    35. 

  35.   hostNetwork: {{ .Values.controller.hostNetwork }}
    36. 

  36. {{- end }}
    37. 

  37. {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
    38. 

  38.   hostPorts:
    39. 

  39. {{- if .Values.controller.hostNetwork }}
    40. 

  40. {{- range $key, $value := .Values.controller.containerPort }}
    41. 

  41.   # {{ $key }}
    42. 

  42.   - min: {{ $value }}
    43. 

  43.     max: {{ $value }}
    44. 

  44. {{- end }}
    45. 

  45. {{- else if .Values.controller.hostPort.enabled }}
    46. 

  46. {{- range $key, $value := .Values.controller.hostPort.ports }}
    47. 

  47.   # {{ $key }}
    48. 

  48.   - min: {{ $value }}
    49. 

  49.     max: {{ $value }}
    50. 

  50. {{- end }}
    51. 

  51. {{- end }}
    52. 

  52. {{- if .Values.controller.metrics.enabled }}
    53. 

  53.   # metrics
    54. 

  54.   - min: {{ .Values.controller.metrics.port }}
    55. 

  55.     max: {{ .Values.controller.metrics.port }}
    56. 

  56. {{- end }}
    57. 

  57. {{- if .Values.controller.admissionWebhooks.enabled }}
    58. 

  58.   # admission webhooks
    59. 

  59.   - min: {{ .Values.controller.admissionWebhooks.port }}
    60. 

  60.     max: {{ .Values.controller.admissionWebhooks.port }}
    61. 

  61. {{- end }}
    62. 

  62. {{- range $key, $value := .Values.tcp }}
    63. 

  63.   # {{ $key }}-tcp
    64. 

  64.   - min: {{ $key }}
    65. 

  65.     max: {{ $key }}
    66. 

  66. {{- end }}
    67. 

  67. {{- range $key, $value := .Values.udp }}
    68. 

  68.   # {{ $key }}-udp
    69. 

  69.   - min: {{ $key }}
    70. 

  70.     max: {{ $key }}
    71. 

  71. {{- end }}
    72. 

  72. {{- end }}
    73. 

  73.   hostIPC: false
    74. 

  74.   hostPID: false
    75. 

  75.   runAsUser:
    76. 

  76.     # Require the container to run without root privileges.
    77. 

  77.     rule: 'MustRunAsNonRoot'
    78. 

  78.   supplementalGroups:
    79. 

  79.     rule: 'MustRunAs'
    80. 

  80.     ranges:
    81. 

  81.       # Forbid adding the root group.
    82. 

  82.       - min: 1
    83. 

  83.         max: 65535
    84. 

  84.   fsGroup:
    85. 

  85.     rule: 'MustRunAs'
    86. 

  86.     ranges:
    87. 

  87.       # Forbid adding the root group.
    88. 

  88.       - min: 1
    89. 

  89.         max: 65535
    90. 

  90.   readOnlyRootFilesystem: false
    91. 

  91.   seLinux:
    92. 

  92.     rule: 'RunAsAny'
    93. 

  93. {{- end }}
    94. 

  94. {{- end }}
    95.