1{{ if .Values.enablePSP -}}
2---
3###
4### Control Plane PSP
5###
6apiVersion: policy/v1beta1
7kind: PodSecurityPolicy
8metadata:
9 name: linkerd-{{.Release.Namespace}}-control-plane
10 annotations:
11 seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
12 labels:
13 linkerd.io/control-plane-ns: {{.Release.Namespace}}
14 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
15spec:
16 {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }}
17 allowPrivilegeEscalation: true
18 {{- else }}
19 allowPrivilegeEscalation: false
20 {{- end }}
21 readOnlyRootFilesystem: true
22 {{- if empty .Values.cniEnabled }}
23 allowedCapabilities:
24 - NET_ADMIN
25 - NET_RAW
26 {{- end}}
27 requiredDropCapabilities:
28 - ALL
29 hostNetwork: false
30 hostIPC: false
31 hostPID: false
32 seLinux:
33 rule: RunAsAny
34 runAsUser:
35 {{- if .Values.cniEnabled }}
36 rule: MustRunAsNonRoot
37 {{- else }}
38 rule: RunAsAny
39 {{- end }}
40 runAsGroup:
41 {{- if .Values.cniEnabled }}
42 rule: MustRunAs
43 ranges:
44 - min: 1000
45 max: 999999
46 {{- else }}
47 rule: RunAsAny
48 {{- end }}
49 supplementalGroups:
50 rule: MustRunAs
51 ranges:
52 {{- if .Values.cniEnabled }}
53 - min: 10001
54 max: 65535
55 {{- else }}
56 - min: 1
57 max: 65535
58 {{- end }}
59 fsGroup:
60 rule: MustRunAs
61 ranges:
62 {{- if .Values.cniEnabled }}
63 - min: 10001
64 max: 65535
65 {{- else }}
66 - min: 1
67 max: 65535
68 {{- end }}
69 volumes:
70 - configMap
71 - emptyDir
72 - secret
73 - projected
74 - downwardAPI
75 - persistentVolumeClaim
76---
77apiVersion: rbac.authorization.k8s.io/v1
78kind: Role
79metadata:
80 name: linkerd-psp
81 namespace: {{ .Release.Namespace }}
82 labels:
83 linkerd.io/control-plane-ns: {{.Release.Namespace}}
84 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
85rules:
86- apiGroups: ['policy', 'extensions']
87 resources: ['podsecuritypolicies']
88 verbs: ['use']
89 resourceNames:
90 - linkerd-{{.Release.Namespace}}-control-plane
91---
92apiVersion: rbac.authorization.k8s.io/v1
93kind: RoleBinding
94metadata:
95 name: linkerd-psp
96 namespace: {{ .Release.Namespace }}
97 labels:
98 linkerd.io/control-plane-ns: {{.Release.Namespace}}
99 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
100roleRef:
101 kind: Role
102 name: linkerd-psp
103 apiGroup: rbac.authorization.k8s.io
104subjects:
105- kind: ServiceAccount
106 name: linkerd-destination
107 namespace: {{.Release.Namespace}}
108{{ if not .Values.disableHeartBeat -}}
109- kind: ServiceAccount
110 name: linkerd-heartbeat
111 namespace: {{.Release.Namespace}}
112{{ end -}}
113- kind: ServiceAccount
114 name: linkerd-identity
115 namespace: {{.Release.Namespace}}
116- kind: ServiceAccount
117 name: linkerd-proxy-injector
118 namespace: {{.Release.Namespace}}
119{{ end -}}
View as plain text