set AllowPrivilegeEscalation on container securityContext (#1326)
This commit is contained in:
Felix Kunde
GitHub
parent
a9b677c957
commit
4ea0b5f432
|
|
@ -63,6 +63,7 @@ rules:
|
||||||
- services
|
- services
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
|
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
|
||||||
# to run privileged pods
|
# to run privileged pods
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- extensions
|
- extensions
|
||||||
|
|
@ -72,4 +73,5 @@ rules:
|
||||||
- privileged
|
- privileged
|
||||||
verbs:
|
verbs:
|
||||||
- use
|
- use
|
||||||
|
{{- end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
||||||
|
|
@ -228,7 +228,8 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- create
|
- create
|
||||||
# to grant privilege to run privileged pods
|
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
|
||||||
|
# to run privileged pods
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
|
|
@ -237,4 +238,5 @@ rules:
|
||||||
- privileged
|
- privileged
|
||||||
verbs:
|
verbs:
|
||||||
- use
|
- use
|
||||||
|
{{- end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
||||||
|
|
@ -203,15 +203,15 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- create
|
- create
|
||||||
# to grant privilege to run privileged pods
|
# to grant privilege to run privileged pods (not needed by default)
|
||||||
- apiGroups:
|
#- apiGroups:
|
||||||
- extensions
|
# - extensions
|
||||||
resources:
|
# resources:
|
||||||
- podsecuritypolicies
|
# - podsecuritypolicies
|
||||||
resourceNames:
|
# resourceNames:
|
||||||
- privileged
|
# - privileged
|
||||||
verbs:
|
# verbs:
|
||||||
- use
|
# - use
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
|
@ -265,12 +265,12 @@ rules:
|
||||||
- services
|
- services
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
# to run privileged pods
|
# to grant privilege to run privileged pods (not needed by default)
|
||||||
- apiGroups:
|
#- apiGroups:
|
||||||
- extensions
|
# - extensions
|
||||||
resources:
|
# resources:
|
||||||
- podsecuritypolicies
|
# - podsecuritypolicies
|
||||||
resourceNames:
|
# resourceNames:
|
||||||
- privileged
|
# - privileged
|
||||||
verbs:
|
# verbs:
|
||||||
- use
|
# - use
|
||||||
|
|
|
||||||
|
|
@ -453,8 +453,9 @@ func generateContainer(
|
||||||
VolumeMounts: volumeMounts,
|
VolumeMounts: volumeMounts,
|
||||||
Env: envVars,
|
Env: envVars,
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
Privileged: &privilegedMode,
|
AllowPrivilegeEscalation: &privilegedMode,
|
||||||
ReadOnlyRootFilesystem: util.False(),
|
Privileged: &privilegedMode,
|
||||||
|
ReadOnlyRootFilesystem: util.False(),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue