Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- annotations:
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- name: default
- spec:
- allowedCapabilities: [] # default set of capabilities are implicitly allowed
- allowPrivilegeEscalation: false
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- hostIPC: false
- hostNetwork: false
- hostPID: false
- privileged: false
- readOnlyRootFilesystem: false
- runAsUser:
- rule: 'MustRunAsNonRoot'
- seLinux:
- rule: 'RunAsNonRoot'
- supplementalGroups:
- rule: 'RunAsNonRoot'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- volumes:
- - 'configMap'
- - 'downwardAPI'
- - 'emptyDir'
- - 'persistentVolumeClaim'
- - 'projected'
- - 'secret'
- hostNetwork: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement