Merge "Enable pod security policies"

1 files changed, 34 insertions, 2 deletions

diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
index 0a2953ce..18a55035 100644
--- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
+++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
@@ -52,8 +52,6 @@ local_volume_provisioner_enabled: true
 # Helm deployment
 helm_enabled: true
 
-docker_version: 'latest'
-
 # Kube-proxy proxyMode configuration.
 # NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
 # works in the kernel space
@@ -81,3 +79,37 @@ kube_pods_subnet: 10.244.64.0/18
 
 # disable localdns cache
 enable_nodelocaldns: false
+
+# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
+podsecuritypolicy_enabled: true
+# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
+#   allowedCapabilities:
+#     - '*'
+# by
+#   requiredDropCapabilities:
+#    - NET_RAW
+podsecuritypolicy_restricted_spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  volumes:
+    - '*'
+  hostNetwork: true
+  hostPorts:
+    - min: 0
+      max: 65535
+  hostIPC: true
+  hostPID: true
+  requiredDropCapabilities:
+    - NET_RAW
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+    - '*'