k8s: fix PodSecurityPolicy

examples/kubernetes/README.md

@@ -14,6 +14,10 @@ Deploy the service to listen for JVB UDP traffic on all cluster nodes port 30300
 
 `kubectl create -f jvb-service.yaml`
 
+If PodSecurityPolicies were enabled, we would then install a PSP and Role for jitsi:
+
+`kubectl create -f rbac.yaml`
+
 Now we can deploy the rest of the application. First modify the `DOCKER_HOST_ADDRESS` env value in deployment.yaml to point to one of nodes in your cluster (or load-balancer for all nodes if you have one), and then deploy it:
 
 `kubectl create -f deployment.yaml`

examples/kubernetes/deployment.yaml

@@ -1,3 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jitsi
+  namespace: jitsi
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -143,3 +150,4 @@ spec:
               value: jvbbrewery
             - name: TZ
               value: America/Los_Angeles
+      serviceAccountName: jitsi

examples/kubernetes/rbac.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: jitsi-privileged
+spec:
+  allowPrivilegeEscalation: true
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: true
+  hostPID: true
+  hostPorts:
+  - max: 65535
+    min: 0
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jitsi-privileged
+  namespace: jitsi
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - jitsi-privileged
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jitsi-privileged
+  namespace: jitsi
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jitsi-privileged
+subjects:
+- kind: ServiceAccount
+  name: jitsi