diff options
| author |   Lukasz Rajewski <lukasz.rajewski@t-mobile.pl> | 2024-03-11 15:39:30 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@onap.org> | 2024-03-11 15:39:30 +0000 |
| commit | fa01ec554cfa10cb1f9ec8be0c5530dd3f3ea50a (patch) | |
| tree | 0f21b55af795554e19a745a4dcb0b063eb7ff18a /kubernetes/common/mongodb/templates/psp.yaml | |
| parent | 9964927d8766c5c396ef2caf6f7aeb7494db279e (diff) | |
| parent | cde4a784a593555c17146635dcc25013872cabc5 (diff) | |
Merge "[MONGODB] Update to latest bitnami mongodb chart"
Diffstat (limited to 'kubernetes/common/mongodb/templates/psp.yaml')
| -rw-r--r-- | kubernetes/common/mongodb/templates/psp.yaml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/kubernetes/common/mongodb/templates/psp.yaml b/kubernetes/common/mongodb/templates/psp.yaml new file mode 100644 index 0000000000..61c452b48b --- /dev/null +++ b/kubernetes/common/mongodb/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} |