istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/security/psp/sidecar-psp.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/security/psp/sidecar-psp.yaml (about)

     1  apiVersion: policy/v1
     2  kind: PodSecurityPolicy
     3  metadata:
     4    name: istio-sidecar
     5  spec:
     6    # Allow the istio sidecar injector to work
     7    allowedCapabilities:
     8      - NET_ADMIN
     9      - NET_RAW
    10    seLinux:
    11      rule: RunAsAny
    12    supplementalGroups:
    13      rule: RunAsAny
    14    runAsUser:
    15      rule: RunAsAny
    16    fsGroup:
    17      rule: RunAsAny
    18    volumes:
    19      - '*'
    20  ---
    21  kind: ClusterRole
    22  apiVersion: rbac.authorization.k8s.io/v1
    23  metadata:
    24    name: istio-sidecar-psp
    25  rules:
    26    - apiGroups:
    27        - extensions
    28      resources:
    29        - podsecuritypolicies
    30      resourceNames:
    31        - istio-sidecar
    32      verbs:
    33        - use
    34  ---
    35  apiVersion: rbac.authorization.k8s.io/v1
    36  kind: ClusterRoleBinding
    37  metadata:
    38    name: istio-sidecar-psp
    39  roleRef:
    40    apiGroup: rbac.authorization.k8s.io
    41    kind: ClusterRole
    42    name: istio-sidecar-psp
    43  subjects:
    44    - apiGroup: rbac.authorization.k8s.io
    45      kind: Group
    46      name: system:serviceaccounts