github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/helm/trivy/templates/podsecuritypolicy.yaml

github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/helm/trivy/templates/podsecuritypolicy.yaml (about)

     1  {{- if .Values.rbac.pspEnabled }}
     2    {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
     3  apiVersion: policy/v1beta1
     4  kind: PodSecurityPolicy
     5  metadata:
     6    name: {{ include "trivy.fullname" . }}
     7    {{- with .Values.rbac.pspAnnotations }}
     8    annotations:
     9      {{- toYaml . | nindent 4 }}
    10    {{- end }}
    11    labels:
    12  {{ include "trivy.labels" . | indent 4 }}
    13  spec:
    14    privileged: false
    15    allowPrivilegeEscalation: false
    16    volumes:
    17      - 'configMap'
    18      - 'emptyDir'
    19      - 'persistentVolumeClaim'
    20      - 'secret'
    21      - 'projected'
    22      - 'downwardAPI'
    23    hostNetwork: false
    24    hostIPC: false
    25    hostPID: false
    26    runAsUser:
    27      rule: 'MustRunAsNonRoot'
    28    seLinux:
    29      rule: 'RunAsAny'
    30    supplementalGroups:
    31      rule: 'MustRunAs'
    32      ranges:
    33      - min: 1
    34        max: 65535
    35    fsGroup:
    36      rule: 'MustRunAs'
    37      ranges:
    38      - min: 1
    39        max: 65535
    40    readOnlyRootFilesystem: true
    41    requiredDropCapabilities:
    42      - ALL
    43    {{- end }}
    44  {{- end }}