samples/security/psp/sidecar-psp.yaml - dubbo-go-pixiu - Git at Google

 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: istio-sidecar
 spec:
   # Allow the istio sidecar injector to work
   allowedCapabilities:
     - NET_ADMIN
     - NET_RAW
   seLinux:
     rule: RunAsAny
   supplementalGroups:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
   fsGroup:
     rule: RunAsAny
   volumes:
     - '*'
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: istio-sidecar-psp
 rules:
   - apiGroups:
       - extensions
     resources:
       - podsecuritypolicies
     resourceNames:
       - istio-sidecar
     verbs:
       - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: istio-sidecar-psp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: istio-sidecar-psp
 subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: Group
     name: system:serviceaccounts
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: istio-sidecar
	spec:
	# Allow the istio sidecar injector to work
	allowedCapabilities:
	- NET_ADMIN
	- NET_RAW
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	runAsUser:
	rule: RunAsAny
	fsGroup:
	rule: RunAsAny
	volumes:
	- '*'
	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: istio-sidecar-psp
	rules:
	- apiGroups:
	- extensions
	resources:
	- podsecuritypolicies
	resourceNames:
	- istio-sidecar
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: istio-sidecar-psp
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: istio-sidecar-psp
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts