summaryrefslogtreecommitdiffstats
path: root/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl
diff options
context:
space:
mode:
Diffstat (limited to 'setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl')
-rw-r--r--setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl43
1 files changed, 43 insertions, 0 deletions
diff --git a/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl b/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl
new file mode 100644
index 0000000..d155267
--- /dev/null
+++ b/setup/projects/katrin/templates/00-katrin-restricted.yml.j2.excl
@@ -0,0 +1,43 @@
+---
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: v1
+defaultAddCapabilities: null
+fsGroup:
+ type: MustRunAs
+groups:
+- system:authenticated
+kind: SecurityContextConstraints
+metadata:
+ annotations:
+ kubernetes.io/description: restricted denies access to all host features and requires
+ pods to be run with a UID, and SELinux context that are allocated to the namespace. This
+ is the most restrictive SCC.
+ creationTimestamp: null
+ name: katrin-restricted
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SYS_CHROOT
+- SETUID
+- SETGID
+runAsUser:
+ type: MustRunAsRange
+seLinuxContext:
+ type: MustRunAs
+supplementalGroups:
+ type: RunAsAny
+volumes:
+- glusterfs
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 09:41:54 +0000