Add support for prometheus

[ric-plt/ric-dep.git] / helm / infrastructure / subcharts / prometheus / charts / kube-state-metrics / templates / podsecuritypolicy.yaml

diff --git a/helm/infrastructure/subcharts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/helm/infrastructure/subcharts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
new file mode 100644 (file)
index 0000000..aeff117
--- /dev/null
+++ b/helm/infrastructure/subcharts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "kube-state-metrics.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Values.podSecurityPolicy.annotations }}
+  annotations:
+{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  volumes:
+    - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}