helm/infrastructure/subcharts/prometheus/templates/node-exporter-podsecuritypolicy.yaml

   1 {{- if and .Values.nodeExporter.enabled .Values.rbac.create }}
   2 {{- if .Values.podSecurityPolicy.enabled }}
   3 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
   4 kind: PodSecurityPolicy
   5 metadata:
   6   name: {{ template "prometheus.nodeExporter.fullname" . }}
   7   labels:
   8     {{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
   9   annotations:
  10 {{- if .Values.nodeExporter.podSecurityPolicy.annotations }}
  11 {{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }}
  12 {{- end }}
  13 spec:
  14   privileged: false
  15   allowPrivilegeEscalation: false
  16   requiredDropCapabilities:
  17     - ALL
  18   volumes:
  19     - 'configMap'
  20     - 'hostPath'
  21     - 'secret'
  22   allowedHostPaths:
  23     - pathPrefix: /proc
  24       readOnly: true
  25     - pathPrefix: /sys
  26       readOnly: true
  27   {{- range .Values.nodeExporter.extraHostPathMounts }}
  28     - pathPrefix: {{ .hostPath }}
  29       readOnly: {{ .readOnly }}
  30   {{- end }}
  31   hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
  32   hostPID: {{ .Values.nodeExporter.hostPID }}
  33   hostIPC: false
  34   runAsUser:
  35     rule: 'RunAsAny'
  36   seLinux:
  37     rule: 'RunAsAny'
  38   supplementalGroups:
  39     rule: 'MustRunAs'
  40     ranges:
  41       # Forbid adding the root group.
  42       - min: 1
  43         max: 65535
  44   fsGroup:
  45     rule: 'MustRunAs'
  46     ranges:
  47       # Forbid adding the root group.
  48       - min: 1
  49         max: 65535
  50   readOnlyRootFilesystem: false
  51   hostPorts:
  52     - min: 1
  53       max: 65535
  54 {{- end }}
  55 {{- end }}