From 98ef1518e01ed45210265b5fc787b47bbe71ce45 Mon Sep 17 00:00:00 2001
From: Bartosz Stebel <bartoszstebel@gmail.com>
Date: Thu, 23 Apr 2020 23:30:23 +0200
Subject: [PATCH] add vpn insecure namespace

Change-Id: I8a774ae625342af3521ad0ab11a8f6d4e4ef6c97
---
 cluster/kube/cluster.jsonnet | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index 49e1c5af..9a2abdb6 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@@ -145,6 +145,8 @@ local Cluster(short, realm) = {
         policies.AllowNamespaceInsecure("matrix"),
         policies.AllowNamespaceInsecure("registry"),
         policies.AllowNamespaceInsecure("internet"),
+        # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
+        policies.AllowNamespaceInsecure("implr-vpn"),
     ],
 
     // Allow all service accounts (thus all controllers) to create secure pods.