| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: istio-sidecar |
| spec: |
| # Allow the istio sidecar injector to work |
| allowedCapabilities: |
| - NET_ADMIN |
| - NET_RAW |
| seLinux: |
| rule: RunAsAny |
| supplementalGroups: |
| rule: RunAsAny |
| runAsUser: |
| rule: RunAsAny |
| fsGroup: |
| rule: RunAsAny |
| volumes: |
| - '*' |
| --- |
| kind: ClusterRole |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: istio-sidecar-psp |
| rules: |
| - apiGroups: |
| - extensions |
| resources: |
| - podsecuritypolicies |
| resourceNames: |
| - istio-sidecar |
| verbs: |
| - use |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: istio-sidecar-psp |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: istio-sidecar-psp |
| subjects: |
| - apiGroup: rbac.authorization.k8s.io |
| kind: Group |
| name: system:serviceaccounts |