Fix PodSecurityPolicies

cybozu-go · Oct 7, 2020 · b4b50d5 · b4b50d5
1 parent ecff237
commit b4b50d5
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/v2/config/default/pod_security_policy.yaml b/v2/config/default/pod_security_policy.yaml
@@ -12,7 +12,10 @@ spec:
     - 'emptyDir'
     - 'secret'
     - 'downwardAPI'
-  hostNetwork: false
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
   hostIPC: false
   hostPID: false
   seLinux:
@@ -31,6 +34,12 @@ spec:
       # Forbid adding the root group.
       - min: 1
         max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
   readOnlyRootFilesystem: true
 ---
 apiVersion: policy/v1beta1
@@ -56,6 +65,10 @@ spec:
   - pathPrefix: "/etc/cni/net.d"
     readOnly: false
   hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostPID: true
   seLinux:
     rule: 'RunAsAny'
   runAsUser:
@@ -82,6 +95,9 @@ spec:
     - 'secret'
     - 'downwardAPI'
   hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
   seLinux:
     rule: 'RunAsAny'
   runAsUser: