Versions Compared

Old Version 16

changes.mady.by.user Hao Xu

Saved on

compared with

New Version 17

changes.mady.by.user Hao Xu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
  2. Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
  3. Bind the RBAC role to serviceaccount "default".

Exact PodSecurityPolicy Spec we are using:

spec:
  allowPrivilegeEscalation: true
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 0
  privileged: true
  requiredDropCapabilities:
  - NET_RAW
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'