Update psp example

PatTheSilent · Aug 11, 2020 · bfdff5e · bfdff5e
1 parent ba10a8a
commit bfdff5e
Showing 1 changed file with 28 additions and 43 deletions.
diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml
@@ -8,49 +8,37 @@ metadata:
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  annotations:
-    # Assumes apparmor available
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
   name: ingress-nginx
+  namespace: ingress-nginx
 spec:
   allowedCapabilities:
-  - NET_BIND_SERVICE
+    - NET_BIND_SERVICE
+  privileged: false
   allowPrivilegeEscalation: true
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
+  # Allow core volume types.
+  volumes:
+    - configMap
+    - secret
   hostIPC: false
-  hostNetwork: false
   hostPID: false
-  hostPorts:
-  - min: 80
-    max: 65535
-  privileged: false
-  readOnlyRootFilesystem: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
-    ranges:
-    - min: 101
-      max: 65535
-  seLinux:
-    rule: 'RunAsAny'
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
-    # Forbid adding the root group.
-    - min: 1
-      max: 65535
-  volumes:
-  - 'configMap'
-  - 'downwardAPI'
-  - 'emptyDir'
-  - 'projected'
-  - 'secret'
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  seLinux:
+    rule: RunAsAny
 
 ---
 
@@ -60,14 +48,10 @@ metadata:
   name: ingress-nginx-psp
   namespace: ingress-nginx
 rules:
-- apiGroups:
-  - policy
-  resourceNames:
-  - ingress-nginx
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
+- apiGroups: [policy]
+  resources: [podsecuritypolicies]
+  verbs: [use]
+  resourceNames: [ingress-nginx]
 
 ---
 
@@ -84,4 +68,5 @@ subjects:
 - kind: ServiceAccount
   name: default
 - kind: ServiceAccount
-  name: nginx-ingress-serviceaccount
+  name: ingress-nginx
+  namespace: ingress-nginx