PodSecurityConfiguration 示例

以下 PodSecurityConfiguration 包含了 rancher-restricted 集群正常运行所需的 Rancher 命名空间豁免。

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4.   - name: PodSecurity
  5.     configuration:
  6.       apiVersion: pod-security.admission.config.k8s.io/v1
  7.       kind: PodSecurityConfiguration
  8.       defaults:
  9.         enforce: "restricted"
  10.         enforce-version: "latest"
  11.         audit: "restricted"
  12.         audit-version: "latest"
  13.         warn: "restricted"
  14.         warn-version: "latest"
  15.       exemptions:
  16.         usernames: []
  17.         runtimeClasses: []
  18.         namespaces: [calico-apiserver,
  19.                      calico-system,
  20.                      cattle-alerting,
  21.                      cattle-csp-adapter-system,
  22.                      cattle-elemental-system,
  23.                      cattle-epinio-system,
  24.                      cattle-externalip-system,
  25.                      cattle-fleet-local-system,
  26.                      cattle-fleet-system,
  27.                      cattle-gatekeeper-system,
  28.                      cattle-global-data,
  29.                      cattle-global-nt,
  30.                      cattle-impersonation-system,
  31.                      cattle-istio,
  32.                      cattle-istio-system,
  33.                      cattle-logging,
  34.                      cattle-logging-system,
  35.                      cattle-monitoring-system,
  36.                      cattle-neuvector-system,
  37.                      cattle-prometheus,
  38.                      cattle-resources-system,
  39.                      cattle-sriov-system,
  40.                      cattle-system,
  41.                      cattle-ui-plugin-system,
  42.                      cattle-windows-gmsa-system,
  43.                      cert-manager,
  44.                      cis-operator-system,
  45.                      fleet-default,
  46.                      ingress-nginx,
  47.                      istio-system,
  48.                      kube-node-lease,
  49.                      kube-public,
  50.                      kube-system,
  51.                      longhorn-system,
  52.                      rancher-alerting-drivers,
  53.                      security-scan,
  54.                      tigera-operator]