DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Chart: Remove Pod Security Policy. (#11971)

Browse source
This commit is contained in:
Marco Ebert 2024-09-15 17:03:24 +02:00 committed by GitHub
parent 61f56cb490
commit 027603927b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 1 additions and 438 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/examples/psp/README.md
View file

@ -1,17 +0,0 @@
# Pod Security Policy (PSP)
In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`)
have permissions to create pods.
Kubernetes however provides a more fine-grained authorization policy called
[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
PSP allows the cluster owner to define the permission of each object, for example creating a pod.
If you have PSP enabled on the cluster, and you deploy ingress-nginx,
you will need to provide the `Deployment` with the permissions to create pods.
Before applying any objects, first apply the PSP permissions by running:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
```
Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`.

75
docs/examples/psp/psp.yaml
View file

@ -1,75 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
allowedCapabilities:
- NET_BIND_SERVICE
privileged: false
allowPrivilegeEscalation: true
# Allow core volume types.
volumes:
- configMap
- secret
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
seLinux:
rule: RunAsAny
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
rules:
- apiGroups: [policy]
resources: [podsecuritypolicies]
verbs: [use]
resourceNames: [ingress-nginx]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-psp
subjects:
- kind: ServiceAccount
name: default
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx