Sample PodSecurityConfiguration

The following PodSecurityConfiguration contains the required Rancher namespace exemptions for a rancher-restricted cluster to run properly.

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: AdmissionConfiguration
  3. plugins:
  4. - name: PodSecurity
  5. configuration:
  6. apiVersion: pod-security.admission.config.k8s.io/v1
  7. kind: PodSecurityConfiguration
  8. defaults:
  9. enforce: "restricted"
  10. enforce-version: "latest"
  11. audit: "restricted"
  12. audit-version: "latest"
  13. warn: "restricted"
  14. warn-version: "latest"
  15. exemptions:
  16. usernames: []
  17. runtimeClasses: []
  18. namespaces: [calico-apiserver,
  19. calico-system,
  20. cattle-alerting,
  21. cattle-csp-adapter-system,
  22. cattle-elemental-system,
  23. cattle-epinio-system,
  24. cattle-externalip-system,
  25. cattle-fleet-local-system,
  26. cattle-fleet-system,
  27. cattle-gatekeeper-system,
  28. cattle-global-data,
  29. cattle-global-nt,
  30. cattle-impersonation-system,
  31. cattle-istio,
  32. cattle-istio-system,
  33. cattle-logging,
  34. cattle-logging-system,
  35. cattle-monitoring-system,
  36. cattle-neuvector-system,
  37. cattle-prometheus,
  38. cattle-provisioning-capi-system,
  39. cattle-resources-system,
  40. cattle-sriov-system,
  41. cattle-system,
  42. cattle-ui-plugin-system,
  43. cattle-windows-gmsa-system,
  44. cert-manager,
  45. cis-operator-system,
  46. fleet-default,
  47. ingress-nginx,
  48. istio-system,
  49. kube-node-lease,
  50. kube-public,
  51. kube-system,
  52. longhorn-system,
  53. rancher-alerting-drivers,
  54. security-scan,
  55. tigera-operator]