github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/prometheus-adapter/templates/psp.yaml (about) 1 {{- if .Values.psp.create -}} 2 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 3 --- 4 apiVersion: policy/v1beta1 5 kind: PodSecurityPolicy 6 metadata: 7 name: {{ template "k8s-prometheus-adapter.fullname" . }} 8 {{- if .Values.customAnnotations }} 9 annotations: 10 {{- toYaml .Values.customAnnotations | nindent 4 }} 11 {{- end }} 12 labels: 13 {{- include "k8s-prometheus-adapter.labels" . | indent 4 }} 14 spec: 15 {{- if .Values.hostNetwork.enabled }} 16 hostNetwork: true 17 hostPorts: 18 - min: {{ .Values.listenPort }} 19 max: {{ .Values.listenPort }} 20 {{- end }} 21 fsGroup: 22 rule: RunAsAny 23 runAsGroup: 24 rule: RunAsAny 25 runAsUser: 26 rule: MustRunAs 27 ranges: 28 - min: 1024 29 max: 65535 30 seLinux: 31 rule: RunAsAny 32 supplementalGroups: 33 rule: RunAsAny 34 volumes: 35 - secret 36 - emptyDir 37 - configMap 38 --- 39 apiVersion: rbac.authorization.k8s.io/v1 40 kind: ClusterRole 41 metadata: 42 labels: 43 {{- include "k8s-prometheus-adapter.labels" . | indent 4 }} 44 name: {{ template "k8s-prometheus-adapter.name" . }}-psp 45 rules: 46 - apiGroups: 47 - 'policy' 48 resources: ['podsecuritypolicies'] 49 verbs: ['use'] 50 resourceNames: 51 - {{ template "k8s-prometheus-adapter.fullname" . }} 52 --- 53 apiVersion: rbac.authorization.k8s.io/v1 54 kind: ClusterRoleBinding 55 metadata: 56 labels: 57 {{- include "k8s-prometheus-adapter.labels" . | indent 4 }} 58 name: {{ template "k8s-prometheus-adapter.name" . }}-psp 59 roleRef: 60 apiGroup: rbac.authorization.k8s.io 61 kind: ClusterRole 62 name: {{ template "k8s-prometheus-adapter.name" . }}-psp 63 subjects: 64 - kind: ServiceAccount 65 name: {{ template "k8s-prometheus-adapter.serviceAccountName" . }} 66 namespace: {{ include "k8s-prometheus-adapter.namespace" . | quote }} 67 {{- end -}} 68 {{- end }}