github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/server/psp.yaml

github.com/microsoft/fabrikate@v1.0.0-alpha.1.0.20210115014322-dc09194d0885/testdata/local-charts/prometheus/templates/server/psp.yaml (about)

     1  {{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
     2  apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
     3  kind: PodSecurityPolicy
     4  metadata:
     5    name: {{ template "prometheus.server.fullname" . }}
     6    labels:
     7      {{- include "prometheus.server.labels" . | nindent 4 }}
     8    annotations:
     9  {{- if .Values.server.podSecurityPolicy.annotations }}
    10  {{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }}
    11  {{- end }}
    12  spec:
    13    privileged: false
    14    allowPrivilegeEscalation: false
    15    allowedCapabilities:
    16      - 'CHOWN'
    17    volumes:
    18      - 'configMap'
    19      - 'persistentVolumeClaim'
    20      - 'emptyDir'
    21      - 'secret'
    22      - 'hostPath'
    23    allowedHostPaths:
    24      - pathPrefix: /etc
    25        readOnly: true
    26      - pathPrefix: {{ .Values.server.persistentVolume.mountPath }}
    27    {{- range .Values.server.extraHostPathMounts }}
    28      - pathPrefix: {{ .hostPath }}
    29        readOnly: {{ .readOnly }}
    30    {{- end }}
    31    hostNetwork: false
    32    hostPID: false
    33    hostIPC: false
    34    runAsUser:
    35      rule: 'RunAsAny'
    36    seLinux:
    37      rule: 'RunAsAny'
    38    supplementalGroups:
    39      rule: 'MustRunAs'
    40      ranges:
    41        # Forbid adding the root group.
    42        - min: 1
    43          max: 65535
    44    fsGroup:
    45      rule: 'MustRunAs'
    46      ranges:
    47        # Forbid adding the root group.
    48        - min: 1
    49          max: 65535
    50    readOnlyRootFilesystem: false
    51  {{- end }}