Fix PodSecurityPolicies

cybozu-go · Oct 7, 2020 · 35e5420 · 35e5420
1 parent ecff237
commit 35e5420
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/v2/config/default/pod_security_policy.yaml b/v2/config/default/pod_security_policy.yaml
@@ -12,7 +12,7 @@ spec:
     - 'emptyDir'
     - 'secret'
     - 'downwardAPI'
-  hostNetwork: false
+  hostNetwork: true
   hostIPC: false
   hostPID: false
   seLinux:
@@ -31,6 +31,12 @@ spec:
       # Forbid adding the root group.
       - min: 1
         max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
   readOnlyRootFilesystem: true
 ---
 apiVersion: policy/v1beta1
@@ -56,6 +62,7 @@ spec:
   - pathPrefix: "/etc/cni/net.d"
     readOnly: false
   hostNetwork: true
+  hostPID: true
   seLinux:
     rule: 'RunAsAny'
   runAsUser: