Sample PodSecurityConfiguration

The following PodSecurityConfiguration contains the required Rancher namespace exemptions for a rancher-restricted cluster to run properly.

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4. - name: PodSecurity
  5. configuration:
  6. apiVersion: pod-security.admission.config.k8s.io/v1
  7. kind: PodSecurityConfiguration
  8. defaults:
  9. enforce: "restricted"
  10. enforce-version: "latest"
  11. audit: "restricted"
  12. audit-version: "latest"
  13. warn: "restricted"
  14. warn-version: "latest"
  15. exemptions:
  16. usernames: []
  17. runtimeClasses: []
  18. namespaces: [calico-apiserver,
  19. calico-system,
  20. cattle-alerting,
  21. cattle-csp-adapter-system,
  22. cattle-epinio-system,
  23. cattle-externalip-system,
  24. cattle-fleet-local-system,
  25. cattle-fleet-system,
  26. cattle-gatekeeper-system,
  27. cattle-global-data,
  28. cattle-global-nt,
  29. cattle-impersonation-system,
  30. cattle-istio,
  31. cattle-istio-system,
  32. cattle-logging,
  33. cattle-logging-system,
  34. cattle-monitoring-system,
  35. cattle-neuvector-system,
  36. cattle-prometheus,
  37. cattle-sriov-system,
  38. cattle-system,
  39. cattle-ui-plugin-system,
  40. cattle-windows-gmsa-system,
  41. cert-manager,
  42. cis-operator-system,
  43. fleet-default,
  44. ingress-nginx,
  45. istio-system,
  46. kube-node-lease,
  47. kube-public,
  48. kube-system,
  49. longhorn-system,
  50. rancher-alerting-drivers,
  51. security-scan,
  52. tigera-operator]