Sample PodSecurityConfiguration

The following PodSecurityConfiguration contains the required Rancher namespace exemptions for a rancher-restricted cluster to run properly.

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4.   - name: PodSecurity
  5.     configuration:
  6.       apiVersion: pod-security.admission.config.k8s.io/v1
  7.       kind: PodSecurityConfiguration
  8.       defaults:
  9.         enforce: "restricted"
  10.         enforce-version: "latest"
  11.         audit: "restricted"
  12.         audit-version: "latest"
  13.         warn: "restricted"
  14.         warn-version: "latest"
  15.       exemptions:
  16.         usernames: []
  17.         runtimeClasses: []
  18.         namespaces: [calico-apiserver,
  19.                      calico-system,
  20.                      cattle-alerting,
  21.                      cattle-csp-adapter-system,
  22.                      cattle-epinio-system,
  23.                      cattle-externalip-system,
  24.                      cattle-fleet-local-system,
  25.                      cattle-fleet-system,
  26.                      cattle-gatekeeper-system,
  27.                      cattle-global-data,
  28.                      cattle-global-nt,
  29.                      cattle-impersonation-system,
  30.                      cattle-istio,
  31.                      cattle-istio-system,
  32.                      cattle-logging,
  33.                      cattle-logging-system,
  34.                      cattle-monitoring-system,
  35.                      cattle-neuvector-system,
  36.                      cattle-prometheus,
  37.                      cattle-sriov-system,
  38.                      cattle-system,
  39.                      cattle-ui-plugin-system,
  40.                      cattle-windows-gmsa-system,
  41.                      cert-manager,
  42.                      cis-operator-system,
  43.                      fleet-default,
  44.                      ingress-nginx,
  45.                      istio-system,
  46.                      kube-node-lease,
  47.                      kube-public,
  48.                      kube-system,
  49.                      longhorn-system,
  50.                      rancher-alerting-drivers,
  51.                      security-scan,
  52.                      tigera-operator]