Merge pull request #67624 from tallclair/psp-addons

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Allow adding default capabilities to unprivileged addons **What this PR does / why we need it**: Allow adding the default set of capabilities back to unprivileged addons, when using the the default GCE PodSecurityPolicies. This is useful when paired with `drop: [ 'all' ]` This is not a relaxation of permissions, as a pod that didn't touch capabilities (implicitly has the default set) is already allowed. **Which issue(s) this PR fixes**: Fixes https://github.com/kubernetes/dns/issues/254 **Release note**: ```release-note NONE ```
2018-08-21 19:51:07 -07:00 · 2018-08-21 19:51:07 -07:00 · b72e61edaa
parent 09cdfc5287 13adb97714
commit b72e61edaa
1 changed files with 16 additions and 0 deletions
--- a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml
+++ b/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml
@ -19,6 +19,22 @@ metadata:
 spec:
  privileged: false
  allowPrivilegeEscalation: false
+  # The docker default set of capabilities
+  allowedCapabilities:
+  - SETPCAP
+  - MKNOD
+  - AUDIT_WRITE
+  - CHOWN
+  - NET_RAW
+  - DAC_OVERRIDE
+  - FOWNER
+  - FSETID
+  - KILL
+  - SETGID
+  - SETUID
+  - NET_BIND_SERVICE
+  - SYS_CHROOT
+  - SETFCAP
  volumes:
  - 'emptyDir'
  - 'configMap'