...
For fluent-bit, we are going to define a separate pod security policy and bind it to fluent-bit's service account.
Code Block | ||
---|---|---|
| ||
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: ncyd-fluent-bit-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: addonmanager.kubernetes.io/mode: EnsureExists spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'hostPath' - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ncyd-fluent-bit labels: addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - ncyd-fluent-bit-psp --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ncyd-fluent-bit subjects: - kind: ServiceAccount name: fluent-bit namespace: default roleRef: kind: ClusterRole name: ncyd-fluent-bit apiGroup: rbac.authorization.k8s.io |
...