github.com/alibaba/sealer@v0.8.6-0.20220430115802-37a2bdaa8173/applications/kube-prometheus-stack/hooks.yaml (about) 1 --- 2 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml 3 apiVersion: policy/v1beta1 4 kind: PodSecurityPolicy 5 metadata: 6 name: kube-prometheus-stack-admission 7 annotations: 8 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 9 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 10 labels: 11 app: kube-prometheus-stack-admission 12 13 app.kubernetes.io/managed-by: Helm 14 app.kubernetes.io/instance: kube-prometheus-stack 15 app.kubernetes.io/version: "25.0.0" 16 app.kubernetes.io/part-of: kube-prometheus-stack 17 chart: kube-prometheus-stack-25.0.0 18 release: "kube-prometheus-stack" 19 heritage: "Helm" 20 spec: 21 privileged: false 22 # Allow core volume types. 23 volumes: 24 - 'configMap' 25 - 'emptyDir' 26 - 'projected' 27 - 'secret' 28 - 'downwardAPI' 29 - 'persistentVolumeClaim' 30 hostNetwork: false 31 hostIPC: false 32 hostPID: false 33 runAsUser: 34 # Permits the container to run with root privileges as well. 35 rule: 'RunAsAny' 36 seLinux: 37 # This policy assumes the nodes are using AppArmor rather than SELinux. 38 rule: 'RunAsAny' 39 supplementalGroups: 40 rule: 'MustRunAs' 41 ranges: 42 # Allow adding the root group. 43 - min: 0 44 max: 65535 45 fsGroup: 46 rule: 'MustRunAs' 47 ranges: 48 # Allow adding the root group. 49 - min: 0 50 max: 65535 51 readOnlyRootFilesystem: false 52 --- 53 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/serviceaccount.yaml 54 apiVersion: v1 55 kind: ServiceAccount 56 metadata: 57 name: kube-prometheus-stack-admission 58 namespace: kube-prometheus-stack 59 annotations: 60 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 61 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 62 labels: 63 app: kube-prometheus-stack-admission 64 app.kubernetes.io/managed-by: Helm 65 app.kubernetes.io/instance: kube-prometheus-stack 66 app.kubernetes.io/version: "25.0.0" 67 app.kubernetes.io/part-of: kube-prometheus-stack 68 chart: kube-prometheus-stack-25.0.0 69 release: "kube-prometheus-stack" 70 heritage: "Helm" 71 --- 72 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml 73 apiVersion: rbac.authorization.k8s.io/v1 74 kind: ClusterRole 75 metadata: 76 name: kube-prometheus-stack-admission 77 annotations: 78 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 79 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 80 labels: 81 app: kube-prometheus-stack-admission 82 app.kubernetes.io/managed-by: Helm 83 app.kubernetes.io/instance: kube-prometheus-stack 84 app.kubernetes.io/version: "25.0.0" 85 app.kubernetes.io/part-of: kube-prometheus-stack 86 chart: kube-prometheus-stack-25.0.0 87 release: "kube-prometheus-stack" 88 heritage: "Helm" 89 rules: 90 - apiGroups: 91 - admissionregistration.k8s.io 92 resources: 93 - validatingwebhookconfigurations 94 - mutatingwebhookconfigurations 95 verbs: 96 - get 97 - update 98 - apiGroups: ['policy'] 99 resources: ['podsecuritypolicies'] 100 verbs: ['use'] 101 resourceNames: 102 - kube-prometheus-stack-admission 103 --- 104 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrolebinding.yaml 105 apiVersion: rbac.authorization.k8s.io/v1 106 kind: ClusterRoleBinding 107 metadata: 108 name: kube-prometheus-stack-admission 109 annotations: 110 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 111 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 112 labels: 113 app: kube-prometheus-stack-admission 114 app.kubernetes.io/managed-by: Helm 115 app.kubernetes.io/instance: kube-prometheus-stack 116 app.kubernetes.io/version: "25.0.0" 117 app.kubernetes.io/part-of: kube-prometheus-stack 118 chart: kube-prometheus-stack-25.0.0 119 release: "kube-prometheus-stack" 120 heritage: "Helm" 121 roleRef: 122 apiGroup: rbac.authorization.k8s.io 123 kind: ClusterRole 124 name: kube-prometheus-stack-admission 125 subjects: 126 - kind: ServiceAccount 127 name: kube-prometheus-stack-admission 128 namespace: kube-prometheus-stack 129 --- 130 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/role.yaml 131 apiVersion: rbac.authorization.k8s.io/v1 132 kind: Role 133 metadata: 134 name: kube-prometheus-stack-admission 135 namespace: kube-prometheus-stack 136 annotations: 137 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 138 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 139 labels: 140 app: kube-prometheus-stack-admission 141 app.kubernetes.io/managed-by: Helm 142 app.kubernetes.io/instance: kube-prometheus-stack 143 app.kubernetes.io/version: "25.0.0" 144 app.kubernetes.io/part-of: kube-prometheus-stack 145 chart: kube-prometheus-stack-25.0.0 146 release: "kube-prometheus-stack" 147 heritage: "Helm" 148 rules: 149 - apiGroups: 150 - "" 151 resources: 152 - secrets 153 verbs: 154 - get 155 - create 156 --- 157 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/rolebinding.yaml 158 apiVersion: rbac.authorization.k8s.io/v1 159 kind: RoleBinding 160 metadata: 161 name: kube-prometheus-stack-admission 162 namespace: kube-prometheus-stack 163 annotations: 164 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade 165 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 166 labels: 167 app: kube-prometheus-stack-admission 168 app.kubernetes.io/managed-by: Helm 169 app.kubernetes.io/instance: kube-prometheus-stack 170 app.kubernetes.io/version: "25.0.0" 171 app.kubernetes.io/part-of: kube-prometheus-stack 172 chart: kube-prometheus-stack-25.0.0 173 release: "kube-prometheus-stack" 174 heritage: "Helm" 175 roleRef: 176 apiGroup: rbac.authorization.k8s.io 177 kind: Role 178 name: kube-prometheus-stack-admission 179 subjects: 180 - kind: ServiceAccount 181 name: kube-prometheus-stack-admission 182 namespace: kube-prometheus-stack 183 --- 184 # Source: kube-prometheus-stack/charts/grafana/templates/tests/test.yaml 185 apiVersion: v1 186 kind: Pod 187 metadata: 188 name: kube-prometheus-stack-grafana-test 189 labels: 190 helm.sh/chart: grafana-6.19.4 191 app.kubernetes.io/name: grafana 192 app.kubernetes.io/instance: kube-prometheus-stack 193 app.kubernetes.io/version: "8.3.3" 194 app.kubernetes.io/managed-by: Helm 195 annotations: 196 "helm.sh/hook": test-success 197 namespace: kube-prometheus-stack 198 spec: 199 serviceAccountName: kube-prometheus-stack-grafana-test 200 containers: 201 - name: kube-prometheus-stack-test 202 image: "bats/bats:v1.4.1" 203 imagePullPolicy: "IfNotPresent" 204 command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] 205 volumeMounts: 206 - mountPath: /tests 207 name: tests 208 readOnly: true 209 volumes: 210 - name: tests 211 configMap: 212 name: kube-prometheus-stack-grafana-test 213 restartPolicy: Never 214 --- 215 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml 216 apiVersion: batch/v1 217 kind: Job 218 metadata: 219 name: kube-prometheus-stack-admission-create 220 namespace: kube-prometheus-stack 221 annotations: 222 "helm.sh/hook": pre-install,pre-upgrade 223 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 224 labels: 225 app: kube-prometheus-stack-admission-create 226 app.kubernetes.io/managed-by: Helm 227 app.kubernetes.io/instance: kube-prometheus-stack 228 app.kubernetes.io/version: "25.0.0" 229 app.kubernetes.io/part-of: kube-prometheus-stack 230 chart: kube-prometheus-stack-25.0.0 231 release: "kube-prometheus-stack" 232 heritage: "Helm" 233 spec: 234 template: 235 metadata: 236 name: kube-prometheus-stack-admission-create 237 labels: 238 app: kube-prometheus-stack-admission-create 239 app.kubernetes.io/managed-by: Helm 240 app.kubernetes.io/instance: kube-prometheus-stack 241 app.kubernetes.io/version: "25.0.0" 242 app.kubernetes.io/part-of: kube-prometheus-stack 243 chart: kube-prometheus-stack-25.0.0 244 release: "kube-prometheus-stack" 245 heritage: "Helm" 246 spec: 247 containers: 248 - name: create 249 image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 250 imagePullPolicy: IfNotPresent 251 args: 252 - create 253 - --host=kube-prometheus-stack-operator,kube-prometheus-stack-operator.kube-prometheus-stack.svc 254 - --namespace=kube-prometheus-stack 255 - --secret-name=kube-prometheus-stack-admission 256 resources: 257 {} 258 restartPolicy: OnFailure 259 serviceAccountName: kube-prometheus-stack-admission 260 securityContext: 261 runAsGroup: 2000 262 runAsNonRoot: true 263 runAsUser: 2000 264 --- 265 # Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml 266 apiVersion: batch/v1 267 kind: Job 268 metadata: 269 name: kube-prometheus-stack-admission-patch 270 namespace: kube-prometheus-stack 271 annotations: 272 "helm.sh/hook": post-install,post-upgrade 273 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 274 labels: 275 app: kube-prometheus-stack-admission-patch 276 app.kubernetes.io/managed-by: Helm 277 app.kubernetes.io/instance: kube-prometheus-stack 278 app.kubernetes.io/version: "25.0.0" 279 app.kubernetes.io/part-of: kube-prometheus-stack 280 chart: kube-prometheus-stack-25.0.0 281 release: "kube-prometheus-stack" 282 heritage: "Helm" 283 spec: 284 template: 285 metadata: 286 name: kube-prometheus-stack-admission-patch 287 labels: 288 app: kube-prometheus-stack-admission-patch 289 app.kubernetes.io/managed-by: Helm 290 app.kubernetes.io/instance: kube-prometheus-stack 291 app.kubernetes.io/version: "25.0.0" 292 app.kubernetes.io/part-of: kube-prometheus-stack 293 chart: kube-prometheus-stack-25.0.0 294 release: "kube-prometheus-stack" 295 heritage: "Helm" 296 spec: 297 containers: 298 - name: patch 299 image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 300 imagePullPolicy: IfNotPresent 301 args: 302 - patch 303 - --webhook-name=kube-prometheus-stack-admission 304 - --namespace=kube-prometheus-stack 305 - --secret-name=kube-prometheus-stack-admission 306 - --patch-failure-policy=Fail 307 resources: 308 {} 309 restartPolicy: OnFailure 310 serviceAccountName: kube-prometheus-stack-admission 311 securityContext: 312 runAsGroup: 2000 313 runAsNonRoot: true 314 runAsUser: 2000