mirror of
https://github.com/Telecominfraproject/wlan-cloud-ucentralgw.git
synced 2025-10-29 09:52:27 +00:00
[WIFI-5420] Add: support for unsafe sysctls with psp
This commit is contained in:
Dmitry Dunaev
@@ -24,6 +24,9 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
checksum/config: {{ include "owgw.config" . | sha256sum }}
|
checksum/config: {{ include "owgw.config" . | sha256sum }}
|
||||||
|
{{- if .Values.podSecurityPolicy.enabled }}
|
||||||
|
kubernetes.io/psp: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl
|
||||||
|
{{- end }}
|
||||||
{{- with .Values.podAnnotations }}
|
{{- with .Values.podAnnotations }}
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
28
helm/templates/psp.yaml
Normal file
28
helm/templates/psp.yaml
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
{{- if .Values.podSecurityPolicy.enabled }}
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: {{ include "owgw.name" . }}
|
||||||
|
helm.sh/chart: {{ include "owgw.chart" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
allowedUnsafeSysctls:
|
||||||
|
{{- range $unsafeSysctl := .Values.securityContext.sysctls }}
|
||||||
|
- {{ $unsafeSysctl.name }}
|
||||||
|
{{- end }}
|
||||||
|
privileged: false
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- '*'
|
||||||
|
{{- end }}
|
||||||
@@ -112,13 +112,17 @@ resources: {}
|
|||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
fsGroup: 101
|
fsGroup: 101
|
||||||
sysctls:
|
# Usage of unsafe sysctls requires multiple things:
|
||||||
- name: net.ipv4.tcp_keepalive_intvl
|
# - allow these unsafe sysctls on kubelet level (by adding --allowed-unsafe-sysctls flag)
|
||||||
value: "5"
|
# - enabling addition of PodSecurityContext setting podSecurityPolicy.enabled to "true" below
|
||||||
- name: net.ipv4.tcp_keepalive_probes
|
# - uncommenting parameters below
|
||||||
value: "2"
|
#sysctls:
|
||||||
- name: net.ipv4.tcp_keepalive_time
|
#- name: net.ipv4.tcp_keepalive_intvl
|
||||||
value: "45"
|
# value: "5"
|
||||||
|
#- name: net.ipv4.tcp_keepalive_probes
|
||||||
|
# value: "2"
|
||||||
|
#- name: net.ipv4.tcp_keepalive_time
|
||||||
|
# value: "45"
|
||||||
|
|
||||||
nodeSelector: {}
|
nodeSelector: {}
|
||||||
|
|
||||||
@@ -128,6 +132,9 @@ affinity: {}
|
|||||||
|
|
||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
|
|
||||||
|
podSecurityPolicy:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
# storageClassName: "-"
|
# storageClassName: "-"
|
||||||
|
|||||||
Reference in New Issue
Block a user