k8s: fix PodSecurityPolicy
This commit is contained in:
parent
c4fc3d37c6
commit
ec570baee6
|
@ -14,6 +14,10 @@ Deploy the service to listen for JVB UDP traffic on all cluster nodes port 30300
|
||||||
|
|
||||||
`kubectl create -f jvb-service.yaml`
|
`kubectl create -f jvb-service.yaml`
|
||||||
|
|
||||||
|
If PodSecurityPolicies were enabled, we would then install a PSP and Role for jitsi:
|
||||||
|
|
||||||
|
`kubectl create -f rbac.yaml`
|
||||||
|
|
||||||
Now we can deploy the rest of the application. First modify the `DOCKER_HOST_ADDRESS` env value in deployment.yaml to point to one of nodes in your cluster (or load-balancer for all nodes if you have one), and then deploy it:
|
Now we can deploy the rest of the application. First modify the `DOCKER_HOST_ADDRESS` env value in deployment.yaml to point to one of nodes in your cluster (or load-balancer for all nodes if you have one), and then deploy it:
|
||||||
|
|
||||||
`kubectl create -f deployment.yaml`
|
`kubectl create -f deployment.yaml`
|
||||||
|
|
|
@ -1,3 +1,10 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: jitsi
|
||||||
|
namespace: jitsi
|
||||||
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -143,3 +150,4 @@ spec:
|
||||||
value: jvbbrewery
|
value: jvbbrewery
|
||||||
- name: TZ
|
- name: TZ
|
||||||
value: America/Los_Angeles
|
value: America/Los_Angeles
|
||||||
|
serviceAccountName: jitsi
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: jitsi-privileged
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
hostIPC: false
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
hostPorts:
|
||||||
|
- max: 65535
|
||||||
|
min: 0
|
||||||
|
privileged: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- downwardAPI
|
||||||
|
- emptyDir
|
||||||
|
- persistentVolumeClaim
|
||||||
|
- projected
|
||||||
|
- secret
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: jitsi-privileged
|
||||||
|
namespace: jitsi
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- policy
|
||||||
|
resources:
|
||||||
|
- podsecuritypolicies
|
||||||
|
resourceNames:
|
||||||
|
- jitsi-privileged
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: jitsi-privileged
|
||||||
|
namespace: jitsi
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: jitsi-privileged
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: jitsi
|
Loading…
Reference in New Issue