k8s: fix PodSecurityPolicy
This commit is contained in:
parent
c4fc3d37c6
commit
ec570baee6
|
@ -14,6 +14,10 @@ Deploy the service to listen for JVB UDP traffic on all cluster nodes port 30300
|
|||
|
||||
`kubectl create -f jvb-service.yaml`
|
||||
|
||||
If PodSecurityPolicies were enabled, we would then install a PSP and Role for jitsi:
|
||||
|
||||
`kubectl create -f rbac.yaml`
|
||||
|
||||
Now we can deploy the rest of the application. First modify the `DOCKER_HOST_ADDRESS` env value in deployment.yaml to point to one of nodes in your cluster (or load-balancer for all nodes if you have one), and then deploy it:
|
||||
|
||||
`kubectl create -f deployment.yaml`
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: jitsi
|
||||
namespace: jitsi
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
@ -143,3 +150,4 @@ spec:
|
|||
value: jvbbrewery
|
||||
- name: TZ
|
||||
value: America/Los_Angeles
|
||||
serviceAccountName: jitsi
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: jitsi-privileged
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
hostIPC: false
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostPorts:
|
||||
- max: 65535
|
||||
min: 0
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- persistentVolumeClaim
|
||||
- projected
|
||||
- secret
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: jitsi-privileged
|
||||
namespace: jitsi
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
resourceNames:
|
||||
- jitsi-privileged
|
||||
verbs:
|
||||
- use
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: jitsi-privileged
|
||||
namespace: jitsi
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: jitsi-privileged
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: jitsi
|
Loading…
Reference in New Issue