diff options
author | Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-01-25 02:44:36 -0800 |
---|---|---|
committer | Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-01-25 02:49:50 -0800 |
commit | c942e55ceea4ce28e84168bb672a83572d0a6313 (patch) | |
tree | 8ef8e93a9d4bbd70c4076338ca5ce2be98990268 /vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml | |
parent | 1b97e2665be03fc518eb11de0863c42b2280149e (diff) |
Helm charts for Distributed Edge Analytics.
Initial Helm charts for CollectD, Prometheus Operator,
Kafka Strimzi operator, Rook Ceph Operator.
Change-Id: I7323029bd0bf1e4b39aac329fc567f705a59bc0c
Issue-ID: ONAPARC-366
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
Diffstat (limited to 'vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml')
-rw-r--r-- | vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml b/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml new file mode 100644 index 00000000..01eda240 --- /dev/null +++ b/vnfs/DAaaS/prometheus-operator/templates/alertmanager/psp.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus-operator.fullname" . }}-alertmanager + labels: + app: {{ template "prometheus-operator.name" . }}-alertmanager +{{ include "prometheus-operator.labels" . | indent 4 }} +spec: + privileged: false + # Required to prevent escalations to root. + # allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + #requiredDropCapabilities: + # - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} + |