From 3d5a3e06530c1250d48f7d838c619f3bfbcd019d Mon Sep 17 00:00:00 2001
From: Dileep Ranganathan <dileep.ranganathan@intel.com>
Date: Thu, 30 May 2019 12:38:37 -0700
Subject: Refactor Distributed Analytics project structure

Modified the project structure to improve maintainability and to add future CI and
integration test support.

Change-Id: Id30bfb1f83f23785a6b5f99e81f42f752d59c0f8
Issue-ID: ONAPARC-280
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
---
 .../templates/alertmanager/psp.yaml                | 48 ++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 vnfs/DAaaS/deploy/operator/charts/prometheus-operator/templates/alertmanager/psp.yaml

(limited to 'vnfs/DAaaS/deploy/operator/charts/prometheus-operator/templates/alertmanager/psp.yaml')

diff --git a/vnfs/DAaaS/deploy/operator/charts/prometheus-operator/templates/alertmanager/psp.yaml b/vnfs/DAaaS/deploy/operator/charts/prometheus-operator/templates/alertmanager/psp.yaml
new file mode 100644
index 00000000..01eda240
--- /dev/null
+++ b/vnfs/DAaaS/deploy/operator/charts/prometheus-operator/templates/alertmanager/psp.yaml
@@ -0,0 +1,48 @@
+{{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "prometheus-operator.fullname" . }}-alertmanager
+  labels:
+    app: {{ template "prometheus-operator.name" . }}-alertmanager
+{{ include "prometheus-operator.labels" . | indent 4 }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  # allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  #requiredDropCapabilities:
+  #  - ALL
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Permits the container to run with root privileges as well.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
+
-- 
cgit 1.2.3-korg