--- /dev/null
+{{- if and .Values.nodeExporter.enabled .Values.rbac.create }}
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "prometheus.nodeExporter.fullname" . }}
+ labels:
+ {{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
+ annotations:
+{{- if .Values.nodeExporter.podSecurityPolicy.annotations }}
+{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }}
+{{- end }}
+spec:
+ privileged: false
+ allowPrivilegeEscalation: false
+ requiredDropCapabilities:
+ - ALL
+ volumes:
+ - 'configMap'
+ - 'hostPath'
+ - 'secret'
+ allowedHostPaths:
+ - pathPrefix: /proc
+ readOnly: true
+ - pathPrefix: /sys
+ readOnly: true
+ {{- range .Values.nodeExporter.extraHostPathMounts }}
+ - pathPrefix: {{ .hostPath }}
+ readOnly: {{ .readOnly }}
+ {{- end }}
+ hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
+ hostPID: {{ .Values.nodeExporter.hostPID }}
+ hostIPC: false
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+ hostPorts:
+ - min: 1
+ max: 65535
+{{- end }}
+{{- end }}