Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux in the pod
security context and on containers, init containers and ephemeral containers. This policy will
inspect the .spec.securityContext.seLinuxOptions of the pod if the container has no specific
.spec.securityContext.seLinuxOptions. In other words, the seLinuxOptions of the container, init
container and ephemeral containers take precendence over the pod seLinuxOptions, if any.
This policy works by defining what seLinuxOptions can be set at the pod level and at the container
level.
One of the following setting keys are accepted for this policy:
MustRunAs: contains the desired value for theseLinuxOptionsparameter. If the pod does not contain a.securityContext, or a.securityContext.seLinuxOptions, then this policy acts as mutating and defaults theseLinuxOptionsattribute to the one provided in the configuration. In all cases, pod containers, init container and ephemeral containers.seLinuxOptionsare checked for compatibility if they override the Pod Security ContextseLinuxOptionsvalue.RunAsAny: always accepts the request.
Configuration examples:
rule: RunAsAnyrule: MustRunAs
user: user
role: role
type: type
level: s0:c0,c6