set AllowPrivilegeEscalation on container securityContext (#1326)
This commit is contained in:
Felix Kunde
GitHub
parent
a9b677c957
commit
4ea0b5f432
|
|
@ -63,6 +63,7 @@ rules:
|
|||
- services
|
||||
verbs:
|
||||
- create
|
||||
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
|
||||
# to run privileged pods
|
||||
- apiGroups:
|
||||
- extensions
|
||||
|
|
@ -72,4 +73,5 @@ rules:
|
|||
- privileged
|
||||
verbs:
|
||||
- use
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
|
|
|||
|
|
@ -228,7 +228,8 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
# to grant privilege to run privileged pods
|
||||
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
|
||||
# to run privileged pods
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
|
|
@ -237,4 +238,5 @@ rules:
|
|||
- privileged
|
||||
verbs:
|
||||
- use
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
|
|
|||
|
|
@ -203,15 +203,15 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
# to grant privilege to run privileged pods
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
resourceNames:
|
||||
- privileged
|
||||
verbs:
|
||||
- use
|
||||
# to grant privilege to run privileged pods (not needed by default)
|
||||
#- apiGroups:
|
||||
# - extensions
|
||||
# resources:
|
||||
# - podsecuritypolicies
|
||||
# resourceNames:
|
||||
# - privileged
|
||||
# verbs:
|
||||
# - use
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -265,12 +265,12 @@ rules:
|
|||
- services
|
||||
verbs:
|
||||
- create
|
||||
# to run privileged pods
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
resourceNames:
|
||||
- privileged
|
||||
verbs:
|
||||
- use
|
||||
# to grant privilege to run privileged pods (not needed by default)
|
||||
#- apiGroups:
|
||||
# - extensions
|
||||
# resources:
|
||||
# - podsecuritypolicies
|
||||
# resourceNames:
|
||||
# - privileged
|
||||
# verbs:
|
||||
# - use
|
||||
|
|
|
|||
|
|
@ -453,8 +453,9 @@ func generateContainer(
|
|||
VolumeMounts: volumeMounts,
|
||||
Env: envVars,
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
Privileged: &privilegedMode,
|
||||
ReadOnlyRootFilesystem: util.False(),
|
||||
AllowPrivilegeEscalation: &privilegedMode,
|
||||
Privileged: &privilegedMode,
|
||||
ReadOnlyRootFilesystem: util.False(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue