jeffdesc/deployment.yml Secret

## deployment.yml
apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: test-sysctl-1
    labels:
      app.kubernetes.io/name: test-sysctl
      helm.sh/chart: test-sysctl
      app.kubernetes.io/instance: test-sysctl
      app.kubernetes.io/managed-by: Helm
  spec:
    replicas: 1
    selector:
      matchLabels:
        app.kubernetes.io/name: test-sysctl
        helm.sh/chart: test-sysctl
        app.kubernetes.io/instance: test-sysctl
        app.kubernetes.io/managed-by: Helm
    template:
      metadata:
        labels:
          app.kubernetes.io/name: test-sysctl
          helm.sh/chart: test-sysctl
          app.kubernetes.io/instance: test-sysctl
          app.kubernetes.io/managed-by: Helm
      spec:
        securityContext:
          runAsNonRoot: true
          runAsUser: 10000
          fsGroup: 999
          sysctls:
            - name: net.ipv4.ip_forward
              value: "1"
        imagePullSecrets:
          - name: harbor
        containers:
          - name: test-sysctl
            image: "docker-registry/container_image:1.1.3"
            securityContext:
              capabilities:
                add:
                  - ALL
            imagePullPolicy: Always
            envFrom:
              - configMapRef:
                  name: test-sysctl-1
            env:
              - name: DISPLAY_NAME
                value: "test-sysctl"
            resources:
              {}
        volumes:
          - name: test-sysctl
            configMap:
              defaultMode: 0640
              name: test-sysctl-1

## kubelet-config.yml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
nodeStatusUpdateFrequency: "10s"
failSwapOn: True
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: True
  x509:
    clientCAFile: /etc/kubernetes/ssl/ca.crt
authorization:
  mode: Webhook
staticPodPath: /etc/kubernetes/manifests
cgroupDriver: cgroupfs
maxPods: 110
address: 0.0.0.0
readOnlyPort: 0
healthzPort: 10248
healthzBindAddress: 127.0.0.1
kubeletCgroups: /systemd/system.slice
clusterDomain: kubernetes.local
rotateCertificates: true
clusterDNS:
- 169.254.25.10
kubeReserved:
  cpu: 100m
  memory: 256M
resolvConf: "/etc/resolv.conf"
allowedUnsafeSysctls:
- net.ipv4.ip_forward

## podsecuritypolicy.yml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-test-sysctl
spec:
  allowPrivilegeEscalation: false
  # forbiddenSysctls:
  # - '*'
  allowedUnsafeSysctls:
  - '*'
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  # requiredDropCapabilities:
  # - ALL
  # allowedCapabilities:
  # - NET_RAW
  # - NET_ADMIN
  allowedCapabilities:
  - '*'
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: test-sysctl-1
	labels:
	app.kubernetes.io/name: test-sysctl
	helm.sh/chart: test-sysctl
	app.kubernetes.io/instance: test-sysctl
	app.kubernetes.io/managed-by: Helm
	spec:
	replicas: 1
	selector:
	matchLabels:
	app.kubernetes.io/name: test-sysctl
	helm.sh/chart: test-sysctl
	app.kubernetes.io/instance: test-sysctl
	app.kubernetes.io/managed-by: Helm
	template:
	metadata:
	labels:
	app.kubernetes.io/name: test-sysctl
	helm.sh/chart: test-sysctl
	app.kubernetes.io/instance: test-sysctl
	app.kubernetes.io/managed-by: Helm
	spec:
	securityContext:
	runAsNonRoot: true
	runAsUser: 10000
	fsGroup: 999
	sysctls:
	- name: net.ipv4.ip_forward
	value: "1"
	imagePullSecrets:
	- name: harbor
	containers:
	- name: test-sysctl
	image: "docker-registry/container_image:1.1.3"
	securityContext:
	capabilities:
	add:
	- ALL
	imagePullPolicy: Always
	envFrom:
	- configMapRef:
	name: test-sysctl-1
	env:
	- name: DISPLAY_NAME
	value: "test-sysctl"
	resources:
	{}
	volumes:
	- name: test-sysctl
	configMap:
	defaultMode: 0640
	name: test-sysctl-1
	apiVersion: kubelet.config.k8s.io/v1beta1
	kind: KubeletConfiguration
	nodeStatusUpdateFrequency: "10s"
	failSwapOn: True
	authentication:
	anonymous:
	enabled: false
	webhook:
	enabled: True
	x509:
	clientCAFile: /etc/kubernetes/ssl/ca.crt
	authorization:
	mode: Webhook
	staticPodPath: /etc/kubernetes/manifests
	cgroupDriver: cgroupfs
	maxPods: 110
	address: 0.0.0.0
	readOnlyPort: 0
	healthzPort: 10248
	healthzBindAddress: 127.0.0.1
	kubeletCgroups: /systemd/system.slice
	clusterDomain: kubernetes.local
	rotateCertificates: true
	clusterDNS:
	- 169.254.25.10
	kubeReserved:
	cpu: 100m
	memory: 256M
	resolvConf: "/etc/resolv.conf"
	allowedUnsafeSysctls:
	- net.ipv4.ip_forward
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: restricted-test-sysctl
	spec:
	allowPrivilegeEscalation: false
	# forbiddenSysctls:
	# - '*'
	allowedUnsafeSysctls:
	- '*'
	fsGroup:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	# requiredDropCapabilities:
	# - ALL
	# allowedCapabilities:
	# - NET_RAW
	# - NET_ADMIN
	allowedCapabilities:
	- '*'
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	ranges:
	- max: 65535
	min: 1
	rule: MustRunAs
	volumes:
	- configMap
	- emptyDir
	- projected
	- secret
	- downwardAPI
	- persistentVolumeClaim