2021-02-26 21:25:43 +00:00
{{- if and .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
2020-12-18 00:46:15 +00:00
apiVersion : policy/v1beta1
kind : PodSecurityPolicy
metadata :
name : {{ template "kube-prometheus-stack.fullname" . }}-admission
annotations :
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels :
app : {{ template "kube-prometheus-stack.name" . }}-admission
{{- if .Values.global.rbac.pspAnnotations }}
annotations :
{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
{{- end }}
{{ include "kube-prometheus-stack.labels" . | indent 4 }}
spec :
privileged : false
# Required to prevent escalations to root.
# allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
#requiredDropCapabilities:
# - ALL
# Allow core volume types.
volumes :
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork : false
hostIPC : false
hostPID : false
runAsUser :
# Permits the container to run with root privileges as well.
rule : 'RunAsAny'
seLinux :
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule : 'RunAsAny'
supplementalGroups :
rule : 'MustRunAs'
ranges :
# Forbid adding the root group.
- min : 0
max : 65535
fsGroup :
rule : 'MustRunAs'
ranges :
# Forbid adding the root group.
- min : 0
max : 65535
readOnlyRootFilesystem : false
{{- end }}