diff options
| author |   Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-03-05 10:24:06 -0800 |
|---|---|---|
| committer | Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-03-05 10:38:48 -0800 |
| commit | 3dfd3180c0a4d192f4524d74e36d2ba50bffff71 (patch) | |
| tree | 7df49d15b185b73af9a902b17323e5fba46b208f /vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml | |
| parent | 1b81e8f0b51576f761aa8e3329285bfb61e6dd79 (diff) | |
Collection Service Helm charts package
The packages needed for distributed analytics are separated as
collection, messaging, training, inference and visualization.
Collection package consists of collection agents, Prometheus operator.
and Prometheus.
Change-Id: I12c6ed0607fbaedf7bbc207562fb5bf2a1950623
Issue-ID: ONAPARC-366
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
Diffstat (limited to 'vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml')
| -rw-r--r-- | vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml b/vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml new file mode 100644 index 00000000..01eda240 --- /dev/null +++ b/vnfs/DAaaS/collection/charts/prometheus-operator/templates/alertmanager/psp.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus-operator.fullname" . }}-alertmanager + labels: + app: {{ template "prometheus-operator.name" . }}-alertmanager +{{ include "prometheus-operator.labels" . | indent 4 }} +spec: + privileged: false + # Required to prevent escalations to root. + # allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + #requiredDropCapabilities: + # - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} + |