helm/infrastructure/subcharts/prometheus/templates/alertmanager-podsecuritypolicy.yaml

   1 {{- if .Values.rbac.create }}
   2 {{- if .Values.podSecurityPolicy.enabled }}
   3 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
   4 kind: PodSecurityPolicy
   5 metadata:
   6   name: {{ template "prometheus.alertmanager.fullname" . }}
   7   labels:
   8     {{- include "prometheus.alertmanager.labels" . | nindent 4 }}
   9   annotations:
  10 {{- if .Values.alertmanager.podSecurityPolicy.annotations }}
  11 {{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }}
  12 {{- end }}
  13 spec:
  14   privileged: false
  15   allowPrivilegeEscalation: false
  16   requiredDropCapabilities:
  17     - ALL
  18   volumes:
  19     - 'configMap'
  20     - 'persistentVolumeClaim'
  21     - 'emptyDir'
  22     - 'secret'
  23   allowedHostPaths:
  24     - pathPrefix: /etc
  25       readOnly: true
  26     - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }}
  27   hostNetwork: false
  28   hostPID: false
  29   hostIPC: false
  30   runAsUser:
  31     rule: 'RunAsAny'
  32   seLinux:
  33     rule: 'RunAsAny'
  34   supplementalGroups:
  35     rule: 'MustRunAs'
  36     ranges:
  37       # Forbid adding the root group.
  38       - min: 1
  39         max: 65535
  40   fsGroup:
  41     rule: 'MustRunAs'
  42     ranges:
  43       # Forbid adding the root group.
  44       - min: 1
  45         max: 65535
  46   readOnlyRootFilesystem: true
  47 {{- end }}
  48 {{- end }}