ingress-nginx-helm/docs/examples/psp/psp.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx

---

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  allowedCapabilities:
    - NET_BIND_SERVICE
  privileged: false
  allowPrivilegeEscalation: true
  # Allow core volume types.
  volumes:
    - configMap
    - secret
  hostIPC: false
  hostPID: false
  runAsUser:
    # Require the container to run without root privileges.
    rule: MustRunAsNonRoot
  supplementalGroups:
    rule: MustRunAs
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
  seLinux:
    rule: RunAsAny

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-psp
  namespace: ingress-nginx
rules:
- apiGroups: [policy]
  resources: [podsecuritypolicies]
  verbs: [use]
  resourceNames: [ingress-nginx]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-psp
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-psp
subjects:
- kind: ServiceAccount
  name: default
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
Add support for psp 2019-07-29 12:05:36 +00:00			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: ingress-nginx`

			`---`

			`apiVersion: policy/v1beta1`
			`kind: PodSecurityPolicy`
			`metadata:`
			`name: ingress-nginx`
Update psp example 2020-08-11 15:21:48 +00:00			`namespace: ingress-nginx`
Add support for psp 2019-07-29 12:05:36 +00:00			`spec:`
			`allowedCapabilities:`
Update psp example 2020-08-11 15:21:48 +00:00			`- NET_BIND_SERVICE`
			`privileged: false`
Add support for psp 2019-07-29 12:05:36 +00:00			`allowPrivilegeEscalation: true`
Update psp example 2020-08-11 15:21:48 +00:00			`# Allow core volume types.`
			`volumes:`
			`- configMap`
			`- secret`
Add support for psp 2019-07-29 12:05:36 +00:00			`hostIPC: false`
			`hostPID: false`
			`runAsUser:`
Update psp example 2020-08-11 15:21:48 +00:00			`# Require the container to run without root privileges.`
			`rule: MustRunAsNonRoot`
Add support for psp 2019-07-29 12:05:36 +00:00			`supplementalGroups:`
Update psp example 2020-08-11 15:21:48 +00:00			`rule: MustRunAs`
Add support for psp 2019-07-29 12:05:36 +00:00			`ranges:`
Update psp example 2020-08-11 15:21:48 +00:00			`# Forbid adding the root group.`
			`- min: 1`
			`max: 65535`
			`fsGroup:`
			`rule: MustRunAs`
			`ranges:`
			`# Forbid adding the root group.`
			`- min: 1`
			`max: 65535`
			`readOnlyRootFilesystem: false`
			`seLinux:`
			`rule: RunAsAny`
Add support for psp 2019-07-29 12:05:36 +00:00
			`---`

			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: ingress-nginx-psp`
			`namespace: ingress-nginx`
			`rules:`
Update psp example 2020-08-11 15:21:48 +00:00			`- apiGroups: [policy]`
			`resources: [podsecuritypolicies]`
			`verbs: [use]`
			`resourceNames: [ingress-nginx]`
Add support for psp 2019-07-29 12:05:36 +00:00
			`---`

			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: ingress-nginx-psp`
			`namespace: ingress-nginx`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: ingress-nginx-psp`
			`subjects:`
			`- kind: ServiceAccount`
			`name: default`
			`- kind: ServiceAccount`
Update psp example 2020-08-11 15:21:48 +00:00			`name: ingress-nginx`
			`namespace: ingress-nginx`
Added role binding for 'ingress-nginx-admission' to PSP example (#6018) 2020-11-12 20:02:13 +00:00			`- kind: ServiceAccount`
			`name: ingress-nginx-admission`
			`namespace: ingress-nginx`