diff options
Diffstat (limited to 'vnfs/DAaaS/visualization/charts/grafana/templates/podsecuritypolicy.yaml')
-rwxr-xr-x | vnfs/DAaaS/visualization/charts/grafana/templates/podsecuritypolicy.yaml | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/vnfs/DAaaS/visualization/charts/grafana/templates/podsecuritypolicy.yaml b/vnfs/DAaaS/visualization/charts/grafana/templates/podsecuritypolicy.yaml new file mode 100755 index 00000000..d3ef3644 --- /dev/null +++ b/vnfs/DAaaS/visualization/charts/grafana/templates/podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "grafana.fullname" . }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, without DAC_OVERRIDE or CHOWN + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - SETPCAP + - NET_BIND_SERVICE + - NET_RAW + - SYS_CHROOT + - MKNOD + - AUDIT_WRITE + - SETFCAP + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} |