johananl/registry.yaml

## registry.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: registry
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: registry
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
  - KILL
  - MKNOD
  - SETUID
  - SETGID
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 65535
  readOnlyRootFilesystem: false
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: registry
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - registry
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: registry
roleRef:
  kind: Role
  name: registry
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: registry
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry
  labels:
    app: registry
spec:
  replicas: 1
  selector:
    matchLabels:
      app: registry
  template:
    metadata:
      labels:
        app: registry
    spec:
      serviceAccountName: registry
      containers:
      - name: registry
        image: registry:2
        ports:
        - containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
  name: registry
spec:
  selector:
    app: registry
  ports:
  - protocol: TCP
    port: 5000
    targetPort: 5000
  type: ClusterIP
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: registry
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: registry
	annotations:
	seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
	seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
	spec:
	privileged: false
	allowPrivilegeEscalation: false
	requiredDropCapabilities:
	- KILL
	- MKNOD
	- SETUID
	- SETGID
	volumes:
	- 'configMap'
	- 'emptyDir'
	- 'projected'
	- 'secret'
	- 'downwardAPI'
	- 'persistentVolumeClaim'
	hostNetwork: false
	hostIPC: false
	hostPID: false
	runAsUser:
	rule: 'RunAsAny'
	seLinux:
	rule: 'RunAsAny'
	supplementalGroups:
	rule: 'MustRunAs'
	ranges:
	- min: 1
	max: 65535
	fsGroup:
	rule: 'MustRunAs'
	ranges:
	- min: 1
	max: 65535
	readOnlyRootFilesystem: false
	---
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: registry
	rules:
	- apiGroups: ['policy']
	resources: ['podsecuritypolicies']
	verbs: ['use']
	resourceNames:
	- registry
	---
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: registry
	roleRef:
	kind: Role
	name: registry
	apiGroup: rbac.authorization.k8s.io
	subjects:
	- kind: ServiceAccount
	name: registry
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: registry
	labels:
	app: registry
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: registry
	template:
	metadata:
	labels:
	app: registry
	spec:
	serviceAccountName: registry
	containers:
	- name: registry
	image: registry:2
	ports:
	- containerPort: 5000
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: registry
	spec:
	selector:
	app: registry
	ports:
	- protocol: TCP
	port: 5000
	targetPort: 5000
	type: ClusterIP