Add support for prometheus

[ric-plt/ric-dep.git] / helm / infrastructure / subcharts / prometheus / templates / node-exporter-podsecuritypolicy.yaml

diff --git a/helm/infrastructure/subcharts/prometheus/templates/node-exporter-podsecuritypolicy.yaml b/helm/infrastructure/subcharts/prometheus/templates/node-exporter-podsecuritypolicy.yaml
new file mode 100644 (file)
index 0000000..825794b
--- /dev/null
+++ b/helm/infrastructure/subcharts/prometheus/templates/node-exporter-podsecuritypolicy.yaml
@@ -0,0 +1,55 @@
+{{- if and .Values.nodeExporter.enabled .Values.rbac.create }}
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "prometheus.nodeExporter.fullname" . }}
+  labels:
+    {{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
+  annotations:
+{{- if .Values.nodeExporter.podSecurityPolicy.annotations }}
+{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'hostPath'
+    - 'secret'
+  allowedHostPaths:
+    - pathPrefix: /proc
+      readOnly: true
+    - pathPrefix: /sys
+      readOnly: true
+  {{- range .Values.nodeExporter.extraHostPathMounts }}
+    - pathPrefix: {{ .hostPath }}
+      readOnly: {{ .readOnly }}
+  {{- end }}
+  hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
+  hostPID: {{ .Values.nodeExporter.hostPID }}
+  hostIPC: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  hostPorts:
+    - min: 1
+      max: 65535
+{{- end }}
+{{- end }}