github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/server/psp.yaml (about) 1 {{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 kind: PodSecurityPolicy 4 metadata: 5 name: {{ template "prometheus.server.fullname" . }} 6 labels: 7 {{- include "prometheus.server.labels" . | nindent 4 }} 8 annotations: 9 {{- if .Values.server.podSecurityPolicy.annotations }} 10 {{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} 11 {{- end }} 12 spec: 13 privileged: false 14 allowPrivilegeEscalation: false 15 allowedCapabilities: 16 - 'CHOWN' 17 volumes: 18 - 'configMap' 19 - 'persistentVolumeClaim' 20 - 'emptyDir' 21 - 'secret' 22 - 'hostPath' 23 allowedHostPaths: 24 - pathPrefix: /etc 25 readOnly: true 26 - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} 27 {{- range .Values.server.extraHostPathMounts }} 28 - pathPrefix: {{ .hostPath }} 29 readOnly: {{ .readOnly }} 30 {{- end }} 31 hostNetwork: false 32 hostPID: false 33 hostIPC: false 34 runAsUser: 35 rule: 'RunAsAny' 36 seLinux: 37 rule: 'RunAsAny' 38 supplementalGroups: 39 rule: 'MustRunAs' 40 ranges: 41 # Forbid adding the root group. 42 - min: 1 43 max: 65535 44 fsGroup: 45 rule: 'MustRunAs' 46 ranges: 47 # Forbid adding the root group. 48 - min: 1 49 max: 65535 50 readOnlyRootFilesystem: false 51 {{- end }}