github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/node-exporter/psp.yaml (about) 1 {{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 kind: PodSecurityPolicy 4 metadata: 5 name: {{ template "prometheus.nodeExporter.fullname" . }} 6 labels: 7 {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 8 annotations: 9 {{- if .Values.nodeExporter.podSecurityPolicy.annotations }} 10 {{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} 11 {{- end }} 12 spec: 13 privileged: false 14 allowPrivilegeEscalation: false 15 requiredDropCapabilities: 16 - ALL 17 volumes: 18 - 'configMap' 19 - 'hostPath' 20 - 'secret' 21 allowedHostPaths: 22 - pathPrefix: /proc 23 readOnly: true 24 - pathPrefix: /sys 25 readOnly: true 26 {{- range .Values.nodeExporter.extraHostPathMounts }} 27 - pathPrefix: {{ .hostPath }} 28 readOnly: {{ .readOnly }} 29 {{- end }} 30 hostNetwork: {{ .Values.nodeExporter.hostNetwork }} 31 hostPID: {{ .Values.nodeExporter.hostPID }} 32 hostIPC: false 33 runAsUser: 34 rule: 'RunAsAny' 35 seLinux: 36 rule: 'RunAsAny' 37 supplementalGroups: 38 rule: 'MustRunAs' 39 ranges: 40 # Forbid adding the root group. 41 - min: 1 42 max: 65535 43 fsGroup: 44 rule: 'MustRunAs' 45 ranges: 46 # Forbid adding the root group. 47 - min: 1 48 max: 65535 49 readOnlyRootFilesystem: false 50 hostPorts: 51 - min: 1 52 max: 65535 53 {{- end }}