Merge pull request #184 from mrueg/drop-psp

Drop PodSecurityPolicies
coredns · Dec 9, 2024 · 3f8e7a6 · 3f8e7a6
2 parents 1a046e1 + 1404b66
commit 3f8e7a6
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 55 deletions.
diff --git a/charts/coredns/Chart.yaml b/charts/coredns/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: coredns
-version: 1.36.2
+version: 1.37.0
 appVersion: 1.11.4
 home: https://coredns.io
 icon: https://coredns.io/images/CoreDNS_Colour_Horizontal.png
@@ -19,5 +19,5 @@ maintainers:
 type: application
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump to v1.11.4
+    - kind: removed
+      description: Drop support for PodSecurityPolicy
diff --git a/charts/coredns/templates/podsecuritypolicy.yaml b/charts/coredns/templates/podsecuritypolicy.yaml
diff --git a/charts/coredns/values.yaml b/charts/coredns/values.yaml
@@ -76,11 +76,6 @@ serviceAccount:
 rbac:
   # If true, create & use RBAC resources
   create: true
-  # If true, create and use PodSecurityPolicy
-  pspEnable: false
-  # The name of the ServiceAccount to use.
-  # If not set and create is true, a name is generated using the fullname template
-  # name:
 
 clusterRole:
   # By default a name is generated using the fullname template.
@@ -99,9 +94,13 @@ podSecurityContext: {}
 # Configure SecurityContext for Pod.
 # Ensure that required linux capability to bind port number below 1024 is assigned (`CAP_NET_BIND_SERVICE`).
 securityContext:
+  allowPrivilegeEscalation: false
   capabilities:
     add:
       - NET_BIND_SERVICE
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
 
 # Default zone is what Kubernetes recommends:
 # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns-configmap-options