github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/kube-prometheus-stack/templates/prometheus/psp.yaml (about) 1 {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} 2 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 3 apiVersion: policy/v1beta1 4 kind: PodSecurityPolicy 5 metadata: 6 name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus 7 labels: 8 app: {{ template "kube-prometheus-stack.name" . }}-prometheus 9 {{- if .Values.global.rbac.pspAnnotations }} 10 annotations: 11 {{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }} 12 {{- end }} 13 {{ include "kube-prometheus-stack.labels" . | indent 4 }} 14 spec: 15 privileged: false 16 # Allow core volume types. 17 volumes: 18 - 'configMap' 19 - 'emptyDir' 20 - 'projected' 21 - 'secret' 22 - 'downwardAPI' 23 - 'persistentVolumeClaim' 24 {{- if .Values.prometheus.podSecurityPolicy.volumes }} 25 {{ toYaml .Values.prometheus.podSecurityPolicy.volumes | indent 4 }} 26 {{- end }} 27 hostNetwork: false 28 hostIPC: false 29 hostPID: false 30 runAsUser: 31 # Permits the container to run with root privileges as well. 32 rule: 'RunAsAny' 33 seLinux: 34 # This policy assumes the nodes are using AppArmor rather than SELinux. 35 rule: 'RunAsAny' 36 supplementalGroups: 37 rule: 'MustRunAs' 38 ranges: 39 # Allow adding the root group. 40 - min: 0 41 max: 65535 42 fsGroup: 43 rule: 'MustRunAs' 44 ranges: 45 # Allow adding the root group. 46 - min: 0 47 max: 65535 48 readOnlyRootFilesystem: false 49 {{- if .Values.prometheus.podSecurityPolicy.allowedCapabilities }} 50 allowedCapabilities: 51 {{ toYaml .Values.prometheus.podSecurityPolicy.allowedCapabilities | indent 4 }} 52 {{- end }} 53 {{- if .Values.prometheus.podSecurityPolicy.allowedHostPaths }} 54 allowedHostPaths: 55 {{ toYaml .Values.prometheus.podSecurityPolicy.allowedHostPaths | indent 4 }} 56 {{- end }} 57 {{- end }} 58 {{- end }}