From 1404b66cb67a0b6156c02b5c89699ee75b92f983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20R=C3=BCger?= Date: Mon, 9 Dec 2024 14:51:23 +0100 Subject: [PATCH] Drop PodSecurityPolicies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel RĂ¼ger --- charts/coredns/Chart.yaml | 6 +-- .../coredns/templates/podsecuritypolicy.yaml | 47 ------------------- charts/coredns/values.yaml | 9 ++-- 3 files changed, 7 insertions(+), 55 deletions(-) delete mode 100644 charts/coredns/templates/podsecuritypolicy.yaml diff --git a/charts/coredns/Chart.yaml b/charts/coredns/Chart.yaml index f076dd4..7c8fdaa 100644 --- a/charts/coredns/Chart.yaml +++ b/charts/coredns/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: coredns -version: 1.36.2 +version: 1.37.0 appVersion: 1.11.4 home: https://coredns.io icon: https://coredns.io/images/CoreDNS_Colour_Horizontal.png @@ -19,5 +19,5 @@ maintainers: type: application annotations: artifacthub.io/changes: | - - kind: changed - description: Bump to v1.11.4 + - kind: removed + description: Drop support for PodSecurityPolicy diff --git a/charts/coredns/templates/podsecuritypolicy.yaml b/charts/coredns/templates/podsecuritypolicy.yaml deleted file mode 100644 index 6e02e00..0000000 --- a/charts/coredns/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if and .Values.deployment.enabled .Values.rbac.pspEnable }} -{{ if .Capabilities.APIVersions.Has "policy/v1beta1" }} -apiVersion: policy/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: PodSecurityPolicy -metadata: - name: {{ template "coredns.fullname" . }} - labels: {{- include "coredns.labels" . | nindent 4 }} -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - # Add back CAP_NET_BIND_SERVICE so that coredns can run on port 53 - allowedCapabilities: - - NET_BIND_SERVICE - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'RunAsAny' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} diff --git a/charts/coredns/values.yaml b/charts/coredns/values.yaml index a5d70f3..10a18a6 100644 --- a/charts/coredns/values.yaml +++ b/charts/coredns/values.yaml @@ -76,11 +76,6 @@ serviceAccount: rbac: # If true, create & use RBAC resources create: true - # If true, create and use PodSecurityPolicy - pspEnable: false - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - # name: clusterRole: # By default a name is generated using the fullname template. @@ -99,9 +94,13 @@ podSecurityContext: {} # Configure SecurityContext for Pod. # Ensure that required linux capability to bind port number below 1024 is assigned (`CAP_NET_BIND_SERVICE`). securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true # Default zone is what Kubernetes recommends: # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns-configmap-options