| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: gce.unprivileged-addon |
| annotations: |
| kubernetes.io/description: 'This policy grants the minimum amount of |
| privilege necessary to run non-privileged kube-system pods. This policy is |
| not intended for use outside of kube-system, and may include further |
| restrictions in the future.' |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' |
| # 'runtime/default' is already the default, but must be filled in on the |
| # pod to pass admission. |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
| labels: |
| kubernetes.io/cluster-service: 'true' |
| addonmanager.kubernetes.io/mode: Reconcile |
| spec: |
| privileged: false |
| allowPrivilegeEscalation: false |
| # The docker default set of capabilities |
| allowedCapabilities: |
| - SETPCAP |
| - MKNOD |
| - AUDIT_WRITE |
| - CHOWN |
| - NET_RAW |
| - DAC_OVERRIDE |
| - FOWNER |
| - FSETID |
| - KILL |
| - SETGID |
| - SETUID |
| - NET_BIND_SERVICE |
| - SYS_CHROOT |
| - SETFCAP |
| volumes: |
| - 'emptyDir' |
| - 'configMap' |
| - 'secret' |
| hostNetwork: false |
| hostIPC: false |
| hostPID: false |
| # TODO: The addons using this profile should not run as root. |
| runAsUser: |
| rule: 'RunAsAny' |
| seLinux: |
| rule: 'RunAsAny' |
| supplementalGroups: |
| rule: 'RunAsAny' |
| fsGroup: |
| rule: 'RunAsAny' |
| readOnlyRootFilesystem: false |