github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/alertmanager/psp.yaml (about) 1 {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 kind: PodSecurityPolicy 4 metadata: 5 name: {{ template "prometheus.alertmanager.fullname" . }} 6 labels: 7 {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 8 annotations: 9 {{- if .Values.alertmanager.podSecurityPolicy.annotations }} 10 {{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} 11 {{- end }} 12 spec: 13 privileged: false 14 allowPrivilegeEscalation: false 15 requiredDropCapabilities: 16 - ALL 17 volumes: 18 - 'configMap' 19 - 'persistentVolumeClaim' 20 - 'emptyDir' 21 - 'secret' 22 allowedHostPaths: 23 - pathPrefix: /etc 24 readOnly: true 25 - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} 26 hostNetwork: false 27 hostPID: false 28 hostIPC: false 29 runAsUser: 30 rule: 'RunAsAny' 31 seLinux: 32 rule: 'RunAsAny' 33 supplementalGroups: 34 rule: 'MustRunAs' 35 ranges: 36 # Forbid adding the root group. 37 - min: 1 38 max: 65535 39 fsGroup: 40 rule: 'MustRunAs' 41 ranges: 42 # Forbid adding the root group. 43 - min: 1 44 max: 65535 45 readOnlyRootFilesystem: true 46 {{- end }}