github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/kube-prometheus-stack/templates/prometheus-operator/psp.yaml (about) 1 {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} 2 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 3 apiVersion: policy/v1beta1 4 kind: PodSecurityPolicy 5 metadata: 6 name: {{ template "kube-prometheus-stack.fullname" . }}-operator 7 labels: 8 app: {{ template "kube-prometheus-stack.name" . }}-operator 9 {{- if .Values.global.rbac.pspAnnotations }} 10 annotations: 11 {{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }} 12 {{- end }} 13 {{ include "kube-prometheus-stack.labels" . | indent 4 }} 14 spec: 15 privileged: false 16 # Allow core volume types. 17 volumes: 18 - 'configMap' 19 - 'emptyDir' 20 - 'projected' 21 - 'secret' 22 - 'downwardAPI' 23 - 'persistentVolumeClaim' 24 hostNetwork: {{ .Values.prometheusOperator.hostNetwork }} 25 hostIPC: false 26 hostPID: false 27 runAsUser: 28 # Permits the container to run with root privileges as well. 29 rule: 'RunAsAny' 30 seLinux: 31 # This policy assumes the nodes are using AppArmor rather than SELinux. 32 rule: 'RunAsAny' 33 supplementalGroups: 34 rule: 'MustRunAs' 35 ranges: 36 # Allow adding the root group. 37 - min: 0 38 max: 65535 39 fsGroup: 40 rule: 'MustRunAs' 41 ranges: 42 # Allow adding the root group. 43 - min: 0 44 max: 65535 45 readOnlyRootFilesystem: false 46 {{- end }} 47 {{- end }}