# Copyright 2018, AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
conf:
  # The keys under serviceaccounts define specific serviceaccounts, for
  # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
  # to the clusterRole. The cluserRole names are defined by the value for
  # each each key.
  # Each clusterRoles uses a podSecurityPolicy with the same name, defined
  # in the data section below.
  # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
  # assigned to a pod, to assess if it is allowed to create the pod and its
  # listed containers with the securityContexts defined in thier specs.
  serviceaccounts: {}
  #  namespace-1:service-account-1: psp-all-permissive

  # This defines creation of ClusterRoleBindings that configure
  # default PodSecurityPolicies for the subjects below.
  # `nil` avoids creation of a default binding for the subject.
  #
  defaults:
    serviceaccounts: psp-default
    authenticated: psp-default
    unauthenticated: nil

data:
  # Each of these corresponds to the `spec` of a PodSecurityPolicy object.
  # Note that this default PodSecurityPolicy is incredibly permissive.  It is
  # intended to be tuned over time as a default, and to be overridden by
  # operators as appropriate.
  #
  # A ClusterRole will be created for the PSP, with the same `metadata.name`.
  #
  # Note: you can define as many PSPs here as you need.
  #
  psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
    annotations: {}  # Placeholder to add seccomp/apparmor default annotations
    spec:
      privileged: true
      allowPrivilegeEscalation: true
      hostNetwork: true
      hostPID: true
      hostIPC: true
      seLinux:
        rule: RunAsAny
      supplementalGroups:
        rule: RunAsAny
      runAsUser:
        rule: RunAsAny
      fsGroup:
        rule: RunAsAny
      volumes:
        - '*'
      allowedCapabilities:
        - '*'
      hostPorts:
        - min: 1
          max: 65536
manifests:
  podsecuritypolicy: true
...