github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/alertmanager/psp.yaml

github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/alertmanager/psp.yaml (about)

     1  {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
     2  apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
     3  kind: PodSecurityPolicy
     4  metadata:
     5    name: {{ template "prometheus.alertmanager.fullname" . }}
     6    labels:
     7      {{- include "prometheus.alertmanager.labels" . | nindent 4 }}
     8    annotations:
     9  {{- if .Values.alertmanager.podSecurityPolicy.annotations }}
    10  {{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }}
    11  {{- end }}
    12  spec:
    13    privileged: false
    14    allowPrivilegeEscalation: false
    15    requiredDropCapabilities:
    16      - ALL
    17    volumes:
    18      - 'configMap'
    19      - 'persistentVolumeClaim'
    20      - 'emptyDir'
    21      - 'secret'
    22    allowedHostPaths:
    23      - pathPrefix: /etc
    24        readOnly: true
    25      - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }}
    26    hostNetwork: false
    27    hostPID: false
    28    hostIPC: false
    29    runAsUser:
    30      rule: 'RunAsAny'
    31    seLinux:
    32      rule: 'RunAsAny'
    33    supplementalGroups:
    34      rule: 'MustRunAs'
    35      ranges:
    36        # Forbid adding the root group.
    37        - min: 1
    38          max: 65535
    39    fsGroup:
    40      rule: 'MustRunAs'
    41      ranges:
    42        # Forbid adding the root group.
    43        - min: 1
    44          max: 65535
    45    readOnlyRootFilesystem: true
    46  {{- end }}