diff options
author | Srivahni <srivahni.chivukula@intel.com> | 2019-03-22 14:33:38 -0700 |
---|---|---|
committer | Srivahni <srivahni.chivukula@intel.com> | 2019-03-22 14:34:48 -0700 |
commit | c527da2405524418adb9eb27ce41391290ba41bc (patch) | |
tree | 5738d3d05e8274d6bbed8adbe19f13cd223ea48c /vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml | |
parent | 3c861dd4e53b43c94e60d28ec3699119966c6ceb (diff) |
Fix node exporter integration with Prometheus
Change-Id: I05fe6c74bccad6dd2fd515dcda4d4efe7e9a50dd
Issue-ID: ONAPARC-440
Signed-off-by: Srivahni Chivukula <srivahni.chivukula@intel.com>
Diffstat (limited to 'vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml')
-rwxr-xr-x | vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml b/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml new file mode 100755 index 00000000..1fa6f289 --- /dev/null +++ b/vnfs/DAaaS/collection/charts/prometheus-node-exporter/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.rbac.create }} +{{- if .Values.rbac.pspEnabled }} +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: {{ template "prometheus-node-exporter.fullname" . }} +spec: + privileged: false + # Required to prevent escalations to root. + # allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + #requiredDropCapabilities: + # - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: true + hostIPC: false + hostPID: true + hostPorts: + - min: 0 + max: 65535 + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} |