summaryrefslogtreecommitdiffstats
path: root/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml
diff options
context:
space:
mode:
authorDileep Ranganathan <dileep.ranganathan@intel.com>2019-01-25 02:44:36 -0800
committerDileep Ranganathan <dileep.ranganathan@intel.com>2019-01-25 02:49:50 -0800
commitc942e55ceea4ce28e84168bb672a83572d0a6313 (patch)
tree8ef8e93a9d4bbd70c4076338ca5ce2be98990268 /vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml
parent1b97e2665be03fc518eb11de0863c42b2280149e (diff)
Helm charts for Distributed Edge Analytics.
Initial Helm charts for CollectD, Prometheus Operator, Kafka Strimzi operator, Rook Ceph Operator. Change-Id: I7323029bd0bf1e4b39aac329fc567f705a59bc0c Issue-ID: ONAPARC-366 Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
Diffstat (limited to 'vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml')
-rw-r--r--vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml48
1 files changed, 48 insertions, 0 deletions
diff --git a/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml b/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml
new file mode 100644
index 00000000..01eda240
--- /dev/null
+++ b/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml
@@ -0,0 +1,48 @@
+{{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "prometheus-operator.fullname" . }}-alertmanager
+ labels:
+ app: {{ template "prometheus-operator.name" . }}-alertmanager
+{{ include "prometheus-operator.labels" . | indent 4 }}
+spec:
+ privileged: false
+ # Required to prevent escalations to root.
+ # allowPrivilegeEscalation: false
+ # This is redundant with non-root + disallow privilege escalation,
+ # but we can provide it for defense in depth.
+ #requiredDropCapabilities:
+ # - ALL
+ # Allow core volume types.
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ - 'persistentVolumeClaim'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ # Permits the container to run with root privileges as well.
+ rule: 'RunAsAny'
+ seLinux:
+ # This policy assumes the nodes are using AppArmor rather than SELinux.
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}
+