aboutsummaryrefslogtreecommitdiffstats
path: root/vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml')
-rw-r--r--vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml47
1 files changed, 47 insertions, 0 deletions
diff --git a/vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml b/vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml
new file mode 100644
index 00000000..40d33462
--- /dev/null
+++ b/vnfs/DAaaS/prometheus-operator/templates/prometheus/psp.yaml
@@ -0,0 +1,47 @@
+{{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "prometheus-operator.fullname" . }}-prometheus
+ labels:
+ app: {{ template "prometheus-operator.name" . }}-prometheus
+{{ include "prometheus-operator.labels" . | indent 4 }}
+spec:
+ privileged: false
+ # Required to prevent escalations to root.
+ # allowPrivilegeEscalation: false
+ # This is redundant with non-root + disallow privilege escalation,
+ # but we can provide it for defense in depth.
+ #requiredDropCapabilities:
+ # - ALL
+ # Allow core volume types.
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ - 'persistentVolumeClaim'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ # Permits the container to run with root privileges as well.
+ rule: 'RunAsAny'
+ seLinux:
+ # This policy assumes the nodes are using AppArmor rather than SELinux.
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 0
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}