github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/pushgateway/psp.yaml

github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/pushgateway/psp.yaml (about)

     1  {{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
     2  apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
     3  kind: PodSecurityPolicy
     4  metadata:
     5    name: {{ template "prometheus.pushgateway.fullname" . }}
     6    labels:
     7      {{- include "prometheus.pushgateway.labels" . | nindent 4 }}
     8    annotations:
     9  {{- if .Values.pushgateway.podSecurityPolicy.annotations }}
    10  {{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }}
    11  {{- end }}
    12  spec:
    13    privileged: false
    14    allowPrivilegeEscalation: false
    15    requiredDropCapabilities:
    16      - ALL
    17    volumes:
    18      - 'persistentVolumeClaim'
    19      - 'secret'
    20    allowedHostPaths:
    21      - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }}
    22    hostNetwork: false
    23    hostPID: false
    24    hostIPC: false
    25    runAsUser:
    26      rule: 'RunAsAny'
    27    seLinux:
    28      rule: 'RunAsAny'
    29    supplementalGroups:
    30      rule: 'MustRunAs'
    31      ranges:
    32        # Forbid adding the root group.
    33        - min: 1
    34          max: 65535
    35    fsGroup:
    36      rule: 'MustRunAs'
    37      ranges:
    38        # Forbid adding the root group.
    39        - min: 1
    40          max: 65535
    41    readOnlyRootFilesystem: true
    42  {{- end }}