Give the concierge access to use any PodSecurityPolicy.
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases. This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
7639d5e161
commit
935577f8e7
@ -21,6 +21,9 @@ rules:
|
|||||||
- apiGroups: [ admissionregistration.k8s.io ]
|
- apiGroups: [ admissionregistration.k8s.io ]
|
||||||
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
||||||
verbs: [ get, list, watch ]
|
verbs: [ get, list, watch ]
|
||||||
|
- apiGroups: [ policy ]
|
||||||
|
resources: [ podsecuritypolicies ]
|
||||||
|
verbs: [ use ]
|
||||||
---
|
---
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
Loading…
Reference in New Issue
Block a user