Last active
December 2, 2020 17:51
-
-
Save JustinTimperio/230019631346bbd286915301f10ef361 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: psp.flannel.unprivileged | |
| annotations: | |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default | |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default | |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default | |
| apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default | |
| spec: | |
| privileged: false | |
| volumes: | |
| - configMap | |
| - secret | |
| - emptyDir | |
| - hostPath | |
| allowedHostPaths: | |
| - pathPrefix: "/etc/cni/net.d" | |
| - pathPrefix: "/etc/kube-flannel" | |
| - pathPrefix: "/run/flannel" | |
| readOnlyRootFilesystem: false | |
| # Users and groups | |
| runAsUser: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| rule: RunAsAny | |
| fsGroup: | |
| rule: RunAsAny | |
| # Privilege Escalation | |
| allowPrivilegeEscalation: false | |
| defaultAllowPrivilegeEscalation: false | |
| # Capabilities | |
| allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] | |
| defaultAddCapabilities: [] | |
| requiredDropCapabilities: [] | |
| # Host namespaces | |
| hostPID: false | |
| hostIPC: false | |
| hostNetwork: true | |
| hostPorts: | |
| - min: 0 | |
| max: 65535 | |
| # SELinux | |
| seLinux: | |
| # SELinux is unused in CaaSP | |
| rule: 'RunAsAny' | |
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: flannel | |
| rules: | |
| - apiGroups: ['extensions'] | |
| resources: ['podsecuritypolicies'] | |
| verbs: ['use'] | |
| resourceNames: ['psp.flannel.unprivileged'] | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes | |
| verbs: | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes/status | |
| verbs: | |
| - patch | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: flannel | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: flannel | |
| subjects: | |
| - kind: ServiceAccount | |
| name: flannel | |
| namespace: kube-system | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: flannel | |
| namespace: kube-system | |
| --- | |
| kind: ConfigMap | |
| apiVersion: v1 | |
| metadata: | |
| name: kube-flannel-cfg | |
| namespace: kube-system | |
| labels: | |
| tier: node | |
| app: flannel | |
| data: | |
| cni-conf.json: | | |
| { | |
| "name": "cbr0", | |
| "cniVersion": "0.3.1", | |
| "plugins": [ | |
| { | |
| "type": "flannel", | |
| "delegate": { | |
| "hairpinMode": true, | |
| "isDefaultGateway": true | |
| } | |
| }, | |
| { | |
| "type": "portmap", | |
| "capabilities": { | |
| "portMappings": true | |
| } | |
| } | |
| ] | |
| } | |
| net-conf.json: | | |
| { | |
| "Network": "192.168.8.0/16", | |
| "Backend": { | |
| "Type": "vxlan" | |
| } | |
| } | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| name: kube-flannel-ds | |
| namespace: kube-system | |
| labels: | |
| tier: node | |
| app: flannel | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: flannel | |
| template: | |
| metadata: | |
| labels: | |
| tier: node | |
| app: flannel | |
| spec: | |
| affinity: | |
| nodeAffinity: | |
| requiredDuringSchedulingIgnoredDuringExecution: | |
| nodeSelectorTerms: | |
| - matchExpressions: | |
| - key: kubernetes.io/os | |
| operator: In | |
| values: | |
| - linux | |
| hostNetwork: true | |
| priorityClassName: system-node-critical | |
| tolerations: | |
| - operator: Exists | |
| effect: NoSchedule | |
| serviceAccountName: flannel | |
| initContainers: | |
| - name: install-cni | |
| image: quay.io/coreos/flannel:v0.13.1-rc1 | |
| command: | |
| - cp | |
| args: | |
| - -f | |
| - /etc/kube-flannel/cni-conf.json | |
| - /etc/cni/net.d/10-flannel.conflist | |
| volumeMounts: | |
| - name: cni | |
| mountPath: /etc/cni/net.d | |
| - name: flannel-cfg | |
| mountPath: /etc/kube-flannel/ | |
| containers: | |
| - name: kube-flannel | |
| image: quay.io/coreos/flannel:v0.13.1-rc1 | |
| command: | |
| - /opt/bin/flanneld | |
| args: | |
| - --ip-masq | |
| - --kube-subnet-mgr | |
| resources: | |
| requests: | |
| cpu: "100m" | |
| memory: "50Mi" | |
| limits: | |
| cpu: "100m" | |
| memory: "50Mi" | |
| securityContext: | |
| privileged: false | |
| capabilities: | |
| add: ["NET_ADMIN", "NET_RAW"] | |
| env: | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| volumeMounts: | |
| - name: run | |
| mountPath: /run/flannel | |
| - name: flannel-cfg | |
| mountPath: /etc/kube-flannel/ | |
| volumes: | |
| - name: run | |
| hostPath: | |
| path: /run/flannel | |
| - name: cni | |
| hostPath: | |
| path: /etc/cni/net.d | |
| - name: flannel-cfg | |
| configMap: | |
| name: kube-flannel-cfg |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment