@@ -6,20 +6,16 @@ metadata:
66 # Optional: Allow the default AppArmor profile, requires setting the default.
77 apparmor.security.beta.kubernetes.io/allowedProfileNames : ' runtime/default'
88 apparmor.security.beta.kubernetes.io/defaultProfileName : ' runtime/default'
9- # Optional: Allow the default seccomp profile, requires setting the default.
10- seccomp.security.alpha.kubernetes.io/allowedProfileNames : ' docker/default,runtime/default,unconfined'
11- seccomp.security.alpha.kubernetes.io/defaultProfileName : ' unconfined'
9+ seccomp.security.alpha.kubernetes.io/allowedProfileNames : ' *'
1210spec :
1311 privileged : false
14- # The moby default capability set, defined here:
15- # https://github.com/moby/moby/blob/0a5cec2833f82a6ad797d70acbf9cbbaf8956017/oci/caps/defaults.go#L6-L19
12+ # The moby default capability set, minus NET_RAW
1613 allowedCapabilities :
1714 - ' CHOWN'
1815 - ' DAC_OVERRIDE'
1916 - ' FSETID'
2017 - ' FOWNER'
2118 - ' MKNOD'
22- - ' NET_RAW'
2319 - ' SETGID'
2420 - ' SETUID'
2521 - ' SETFCAP'
@@ -36,15 +32,16 @@ spec:
3632 - ' projected'
3733 - ' secret'
3834 - ' downwardAPI'
39- # Assume that persistentVolumes set up by the cluster admin are safe to use.
35+ # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
36+ - ' csi'
4037 - ' persistentVolumeClaim'
38+ - ' ephemeral'
4139 # Allow all other non-hostpath volume types.
4240 - ' awsElasticBlockStore'
4341 - ' azureDisk'
4442 - ' azureFile'
4543 - ' cephFS'
4644 - ' cinder'
47- - ' csi'
4845 - ' fc'
4946 - ' flexVolume'
5047 - ' flocker'
6764 runAsUser :
6865 rule : ' RunAsAny'
6966 seLinux :
67+ # This policy assumes the nodes are using AppArmor rather than SELinux.
68+ # The PSP SELinux API cannot express the SELinux Pod Security Standards,
69+ # so if using SELinux, you must choose a more restrictive default.
7070 rule : ' RunAsAny'
7171 supplementalGroups :
7272 rule : ' RunAsAny'
0 commit comments