| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: gce.fluentd-gcp |
| annotations: |
| kubernetes.io/description: 'Policy used by the fluentd-gcp addon.' |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' |
| # 'runtime/default' is already the default, but must be filled in on the |
| # pod to pass admission. |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
| labels: |
| kubernetes.io/cluster-service: 'true' |
| addonmanager.kubernetes.io/mode: Reconcile |
| spec: |
| privileged: false |
| allowPrivilegeEscalation: false |
| volumes: |
| - 'configMap' |
| - 'hostPath' |
| - 'secret' |
| allowedHostPaths: |
| - pathPrefix: /var/log |
| - pathPrefix: /var/lib/docker/containers |
| - pathPrefix: /usr/lib64 |
| hostNetwork: true |
| hostIPC: false |
| hostPID: false |
| runAsUser: |
| rule: 'RunAsAny' |
| seLinux: |
| rule: 'RunAsAny' |
| supplementalGroups: |
| rule: 'RunAsAny' |
| fsGroup: |
| rule: 'RunAsAny' |
| readOnlyRootFilesystem: false |