github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/prometheus-adapter/templates/psp.yaml (about)

     1  {{- if .Values.psp.create -}}
     2  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
     3  ---
     4  apiVersion: policy/v1beta1
     5  kind: PodSecurityPolicy
     6  metadata:
     7    name: {{ template "k8s-prometheus-adapter.fullname" . }}
     8    {{- if .Values.customAnnotations }}
     9    annotations:
    10    {{- toYaml .Values.customAnnotations | nindent 4 }}
    11    {{- end }}
    12    labels:
    13      {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
    14  spec:
    15    {{- if .Values.hostNetwork.enabled }}
    16    hostNetwork: true
    17    hostPorts:
    18      - min: {{ .Values.listenPort }}
    19        max: {{ .Values.listenPort }}
    20    {{- end }}
    21    fsGroup:
    22      rule: RunAsAny
    23    runAsGroup:
    24      rule: RunAsAny
    25    runAsUser:
    26      rule: MustRunAs
    27      ranges:
    28      - min: 1024
    29        max: 65535
    30    seLinux:
    31      rule: RunAsAny
    32    supplementalGroups:
    33      rule: RunAsAny
    34    volumes:
    35    - secret
    36    - emptyDir
    37    - configMap
    38  ---
    39  apiVersion: rbac.authorization.k8s.io/v1
    40  kind: ClusterRole
    41  metadata:
    42    labels:
    43      {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
    44    name: {{ template "k8s-prometheus-adapter.name" . }}-psp
    45  rules:
    46  - apiGroups: 
    47    - 'policy'
    48    resources: ['podsecuritypolicies']
    49    verbs:     ['use']
    50    resourceNames:
    51    - {{ template "k8s-prometheus-adapter.fullname" . }}
    52  ---
    53  apiVersion: rbac.authorization.k8s.io/v1
    54  kind: ClusterRoleBinding
    55  metadata:
    56    labels:
    57      {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
    58    name: {{ template "k8s-prometheus-adapter.name" . }}-psp
    59  roleRef:
    60    apiGroup: rbac.authorization.k8s.io
    61    kind: ClusterRole
    62    name: {{ template "k8s-prometheus-adapter.name" . }}-psp
    63  subjects:
    64  - kind: ServiceAccount
    65    name: {{ template "k8s-prometheus-adapter.serviceAccountName" . }}
    66    namespace: {{ include "k8s-prometheus-adapter.namespace" . | quote }}
    67  {{- end -}}
    68  {{- end }}