Merge pull request #3311 from StrongMonkey/fix-psp-harden

Add clusterRole and binding to use restricted psp
rancher · May 28, 2021 · 411f1a1 · 411f1a1
2 parents 44a0623 + c689188
commit 411f1a1
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/content/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/_index.md b/content/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/_index.md
@@ -287,6 +287,36 @@ addons: |
     - configMap
     - projected
   ---
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: psp:restricted
+  rules:
+  - apiGroups:
+    - extensions
+    resourceNames:
+    - restricted
+    resources:
+    - podsecuritypolicies
+    verbs:
+    - use
+  ---
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: psp:restricted
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: psp:restricted
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:serviceaccounts
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:authenticated
+  ---
   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata: