github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/prometheus-node-exporter/templates/psp.yaml

github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/prometheus-community/prometheus-node-exporter/templates/psp.yaml (about)

     1  {{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
     2  apiVersion: policy/v1beta1
     3  kind: PodSecurityPolicy
     4  metadata:
     5    name: {{ include "prometheus-node-exporter.fullname" . }}
     6    namespace: {{ include "prometheus-node-exporter.namespace" . }}
     7    labels:
     8      {{- include "prometheus-node-exporter.labels" . | nindent 4 }}
     9    {{- with .Values.rbac.pspAnnotations }}
    10    annotations:
    11      {{- toYaml . | nindent 4 }}
    12    {{- end }}
    13  spec:
    14    privileged: false
    15    # Allow core volume types.
    16    volumes:
    17      - 'configMap'
    18      - 'emptyDir'
    19      - 'projected'
    20      - 'secret'
    21      - 'downwardAPI'
    22      - 'persistentVolumeClaim'
    23      - 'hostPath'
    24    hostNetwork: true
    25    hostIPC: false
    26    hostPID: true
    27    hostPorts:
    28      - min: 0
    29        max: 65535
    30    runAsUser:
    31      # Permits the container to run with root privileges as well.
    32      rule: 'RunAsAny'
    33    seLinux:
    34      # This policy assumes the nodes are using AppArmor rather than SELinux.
    35      rule: 'RunAsAny'
    36    supplementalGroups:
    37      rule: 'MustRunAs'
    38      ranges:
    39        # Allow adding the root group.
    40        - min: 0
    41          max: 65535
    42    fsGroup:
    43      rule: 'MustRunAs'
    44      ranges:
    45        # Allow adding the root group.
    46        - min: 0
    47          max: 65535
    48    readOnlyRootFilesystem: false
    49  {{- end }}