Arthur Evstifeev requested to merge aevstifeev/apparmor:psp-deployment into master Jul 02, 2020

This MR implements support for PSP so users could active loaded profiles for multiple pods via PSP.

Examples:

# Source: apparmor/templates/psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: release-name-apparmor-example
  annotations:
spec:
  fsGroup:
    rule: RunAsAny
  privileged: false
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

# Source: apparmor/templates/psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: release-name-apparmor-example
  annotations:
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'profile-one'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'profile-one,profile-two'
spec:
  fsGroup:
    rule: RunAsAny
  privileged: false
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

Edited Jul 02, 2020 by Arthur Evstifeev

Add securityPolicies value for PSP deployment

Examples:

Merge request reports