...
- Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
- Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
- Bind the RBAC role to serviceaccount "default".
Exact PodSecurityPolicy Spec we are using:
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'