aboutsummaryrefslogtreecommitdiffstats
path: root/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml
diff options
context:
space:
mode:
authorSrivahni <srivahni.chivukula@intel.com>2019-03-22 14:33:38 -0700
committerSrivahni <srivahni.chivukula@intel.com>2019-03-22 14:34:48 -0700
commitc527da2405524418adb9eb27ce41391290ba41bc (patch)
tree5738d3d05e8274d6bbed8adbe19f13cd223ea48c /vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml
parent3c861dd4e53b43c94e60d28ec3699119966c6ceb (diff)
Fix node exporter integration with Prometheus
Change-Id: I05fe6c74bccad6dd2fd515dcda4d4efe7e9a50dd Issue-ID: ONAPARC-440 Signed-off-by: Srivahni Chivukula <srivahni.chivukula@intel.com>
Diffstat (limited to 'vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml')
-rwxr-xr-xvnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml51
1 files changed, 51 insertions, 0 deletions
diff --git a/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml b/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml
new file mode 100755
index 00000000..1fa6f289
--- /dev/null
+++ b/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.rbac.create }}
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }}
+ name: {{ template "prometheus-node-exporter.fullname" . }}
+spec:
+ privileged: false
+ # Required to prevent escalations to root.
+ # allowPrivilegeEscalation: false
+ # This is redundant with non-root + disallow privilege escalation,
+ # but we can provide it for defense in depth.
+ #requiredDropCapabilities:
+ # - ALL
+ # Allow core volume types.
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ - 'persistentVolumeClaim'
+ - 'hostPath'
+ hostNetwork: true
+ hostIPC: false
+ hostPID: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ runAsUser:
+ # Permits the container to run with root privileges as well.
+ rule: 'RunAsAny'
+ seLinux:
+ # This policy assumes the nodes are using AppArmor rather than SELinux.
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}