linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

A Slightly More Restrictive PSP (#3085) 

* Adds more PSP restrictions
* Update test fixtures
* Updates PSP to be conditional on initContainer

- The proxy-init container runs as root and needs the PSP to allow this
user when there is an init container.

Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>
This commit is contained in:
Cody Vandermyn 2019-07-24 10:12:33 -07:00 committed by Ivan Sim
parent c832d354f2
commit 808fa381f9
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
chart/templates/psp.yaml
View File

@ -26,17 +26,31 @@ spec:
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
runAsUser: runAsUser:
{{- if .NoInitContainer }}
rule: MustRunAsNonRoot
{{- else }}
rule: RunAsAny rule: RunAsAny
{{- end }}
supplementalGroups: supplementalGroups:
rule: MustRunAs rule: MustRunAs
ranges: ranges:
{{- if .NoInitContainer }}
- min: 10001
max: 65535
{{- else }}
- min: 1 - min: 1
max: 65535 max: 65535
{{- end }}
fsGroup: fsGroup:
rule: MustRunAs rule: MustRunAs
ranges: ranges:
{{- if .NoInitContainer }}
- min: 10001
max: 65535
{{- else }}
- min: 1 - min: 1
max: 65535 max: 65535
{{- end }}
volumes: volumes:
- configMap - configMap
- emptyDir - emptyDir

6
cli/cmd/testdata/install_no_init_container.golden vendored
View File

@ -511,16 +511,16 @@ spec:
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
runAsUser: runAsUser:
rule: RunAsAny rule: MustRunAsNonRoot
supplementalGroups: supplementalGroups:
rule: MustRunAs rule: MustRunAs
ranges: ranges:
- min: 1 - min: 10001
max: 65535 max: 65535
fsGroup: fsGroup:
rule: MustRunAs rule: MustRunAs
ranges: ranges:
- min: 1 - min: 10001
max: 65535 max: 65535
volumes: volumes:
- configMap - configMap