add vpn insecure namespace Change-Id: I8a774ae625342af3521ad0ab11a8f6d4e4ef6c97

commit: 98ef1518e01ed45210265b5fc787b47bbe71ce45 [log] [tgz]
author: Bartosz Stebel <bartoszstebel@gmail.com> Thu Apr 23 23:30:23 2020 +0200
committer: Bartosz Stebel <bartoszstebel@gmail.com> Fri Apr 24 13:28:38 2020 +0200
tree: 65cafa0e8bef8facee51225573b53528bd441b8c
parent: e9f4b77bf8cc68c3d10452095f62c5aa3aebeab4 [diff]
diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index 49e1c5a..9a2abdb 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet

@@ -145,6 +145,8 @@
         policies.AllowNamespaceInsecure("matrix"),
         policies.AllowNamespaceInsecure("registry"),
         policies.AllowNamespaceInsecure("internet"),
+        # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
+        policies.AllowNamespaceInsecure("implr-vpn"),
     ],
 
     // Allow all service accounts (thus all controllers) to create secure pods.
commit	98ef1518e01ed45210265b5fc787b47bbe71ce45	[log] [tgz]
author	Bartosz Stebel <bartoszstebel@gmail.com>	Thu Apr 23 23:30:23 2020 +0200
committer	Bartosz Stebel <bartoszstebel@gmail.com>	Fri Apr 24 13:28:38 2020 +0200
tree	65cafa0e8bef8facee51225573b53528bd441b8c
parent	e9f4b77bf8cc68c3d10452095f62c5aa3aebeab4 [diff]