openstack-helm-infra/podsecuritypolicy/values.yaml

# Copyright 2018, AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

conf:
  # This defines creation of ClusterRoleBindings that configure
  # default PodSecurityPolicies for the subjects below.
  # `nil` avoids creation of a default binding for the subject.
  #
  defaults:
    serviceaccounts: psp-default
    authenticated: psp-default
    unauthenticated: nil

data:
  # Each of these corresponds to the `spec` of a PodSecurityPolicy object.
  # Note that this default PodSecurityPolicy is incredibly permissive.  It is
  # intended to be tuned over time as a default, and to be overridden by
  # operators as appropriate.
  #
  # A ClusterRole will be created for the PSP, with the same `metadata.name`.
  #
  # Note: you can define as many PSPs here as you need.
  #
  psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
    annotations: {} # Placeholder to add seccomp/apparmor default annotations
    spec:
      privileged: true
      allowPrivilegeEscalation: true
      hostNetwork: true
      hostPID: true
      hostIPC: true
      seLinux:
        rule: RunAsAny
      supplementalGroups:
        rule: RunAsAny
      runAsUser:
        rule: RunAsAny
      fsGroup:
        rule: RunAsAny
      volumes:
      - '*'
      allowedCapabilities:
      - '*'
      hostPorts:
      - min: 1
        max: 65536
manifests:
  podsecuritypolicy: true