| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: gce.event-exporter |
| annotations: |
| kubernetes.io/description: 'Policy used by the event-exporter addon.' |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' |
| # 'runtime/default' is already the default, but must be filled in on the |
| # pod to pass admission. |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
| labels: |
| kubernetes.io/cluster-service: 'true' |
| addonmanager.kubernetes.io/mode: Reconcile |
| spec: |
| privileged: false |
| allowPrivilegeEscalation: false |
| volumes: |
| - 'hostPath' |
| - 'secret' |
| # TODO: This only needs a hostPath to read /etc/ssl/certs, |
| # but it should be able to just include these in the image. |
| allowedHostPaths: |
| - pathPrefix: /etc/ssl/certs |
| hostNetwork: false |
| hostIPC: false |
| hostPID: false |
| # TODO: This doesn't need to run as root. |
| runAsUser: |
| rule: 'RunAsAny' |
| seLinux: |
| rule: 'RunAsAny' |
| supplementalGroups: |
| rule: 'RunAsAny' |
| fsGroup: |
| rule: 'RunAsAny' |
| readOnlyRootFilesystem: false |
