helm/infrastructure/subcharts/prometheus/templates/pushgateway-podsecuritypolicy.yaml

   1 {{- if .Values.rbac.create }}
   2 {{- if .Values.podSecurityPolicy.enabled }}
   3 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
   4 kind: PodSecurityPolicy
   5 metadata:
   6   name: {{ template "prometheus.pushgateway.fullname" . }}
   7   labels:
   8     {{- include "prometheus.pushgateway.labels" . | nindent 4 }}
   9   annotations:
  10 {{- if .Values.pushgateway.podSecurityPolicy.annotations }}
  11 {{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }}
  12 {{- end }}
  13 spec:
  14   privileged: false
  15   allowPrivilegeEscalation: false
  16   requiredDropCapabilities:
  17     - ALL
  18   volumes:
  19     - 'persistentVolumeClaim'
  20     - 'secret'
  21   allowedHostPaths:
  22     - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }}
  23   hostNetwork: false
  24   hostPID: false
  25   hostIPC: false
  26   runAsUser:
  27     rule: 'RunAsAny'
  28   seLinux:
  29     rule: 'RunAsAny'
  30   supplementalGroups:
  31     rule: 'MustRunAs'
  32     ranges:
  33       # Forbid adding the root group.
  34       - min: 1
  35         max: 65535
  36   fsGroup:
  37     rule: 'MustRunAs'
  38     ranges:
  39       # Forbid adding the root group.
  40       - min: 1
  41         max: 65535
  42   readOnlyRootFilesystem: true
  43 {{- end }}
  44 {{- end }}