| {{- if and .Values.psp.create (.Capabilities.APIVersions.Has "policy/v1beta1") }} | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: {{ include "vector.fullname" . }} | |
| labels: | |
| {{- include "vector.labels" . | nindent 4 }} | |
| spec: | |
| privileged: false | |
| allowPrivilegeEscalation: false | |
| readOnlyRootFilesystem: false | |
| requiredDropCapabilities: | |
| - ALL | |
| volumes: | |
| - 'hostPath' | |
| - 'configMap' | |
| - 'emptyDir' | |
| - 'secret' | |
| - 'projected' | |
| allowedHostPaths: | |
| - pathPrefix: "/var/log" | |
| readOnly: true | |
| - pathPrefix: "/var/lib" | |
| readOnly: true | |
| - pathPrefix: {{ .Values.persistence.hostPath.path | quote }} | |
| readOnly: false | |
| - pathPrefix: "/sys" | |
| readOnly: true | |
| - pathPrefix: "/proc" | |
| readOnly: true | |
| hostNetwork: {{ .Values.podHostNetwork }} | |
| hostIPC: false | |
| hostPID: false | |
| runAsUser: | |
| rule: 'RunAsAny' | |
| seLinux: | |
| rule: 'RunAsAny' | |
| supplementalGroups: | |
| rule: 'MustRunAs' | |
| ranges: | |
| - min: 1 | |
| max: 65535 | |
| fsGroup: | |
| rule: 'MustRunAs' | |
| ranges: | |
| - min: 1 | |
| max: 65535 | |
| {{- end }} |