aboutsummaryrefslogtreecommitdiffstats
path: root/vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml')
-rw-r--r--vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml35
1 files changed, 35 insertions, 0 deletions
diff --git a/vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml b/vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml
new file mode 100644
index 00000000..412b2437
--- /dev/null
+++ b/vnfs/DAaaS/00-init/rook-ceph/templates/psp.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.pspEnable }}
+# PSP for rook-ceph-operator
+
+# Most of the teams follow the kubernetes docs and have these PSPs.
+# * privileged (for kube-system namespace)
+# * restricted (for all logged in users)
+#
+# If we name it as `rook-ceph-operator`, it comes next to `restricted` PSP alphabetically,
+# and applies `restricted` capabilities to `rook-system`. Thats reason this is named with `00-rook-ceph-operator`,
+# so it stays somewhere close to top and `rook-system` gets the intended PSP.
+#
+# More info on PSP ordering : https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
+
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: 00-rook-ceph-operator
+spec:
+ fsGroup:
+ rule: RunAsAny
+ privileged: true
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - '*'
+ allowedCapabilities:
+ - '*'
+ hostPID: true
+ hostIPC: true
+ hostNetwork: true
+{{- end }}