3c4ebf0172
This change updates the namespace-config chart to (optionally) create
RBAC rules allowing service accounts in the namespace 'use' access to an
existing Pod Security Policy in the cluster. The policy is specified as:
podSecurityPolicy:
existingPsp: name-of-existing-psp
This aligns with the PSP deprecation guidance provided to date [0],
which suggests easing the transition to the "PSP Replacement Policy" by
establishing the standard PSPs (Restricted, Baseline, and Privileged),
assigning a cluster-wide default, and binding more-permissive policies
as needed in certain namespaces.
[0] https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
Change-Id: I46da230abf822e0cc3553561fd779444439c34a7
34 lines
1.0 KiB
YAML
34 lines
1.0 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for memcached.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
limits:
|
|
- type: Container
|
|
default:
|
|
cpu: 8
|
|
memory: 8192Mi
|
|
defaultRequest:
|
|
cpu: 0.1
|
|
memory: 64Mi
|
|
|
|
podSecurityPolicy:
|
|
# Optionally specify the name of an existing pod security policy.
|
|
# If specified, a role and rolebinding will be created granting access for
|
|
# service accounts in this namespace to use existingPsp.
|
|
existingPsp: ""
|
|
...
|