| {{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} |
| labels: |
| app: {{ include "ceph-csi-rbd.name" . }} |
| chart: {{ include "ceph-csi-rbd.chart" . }} |
| component: {{ .Values.nodeplugin.name }} |
| release: {{ .Release.Name }} |
| heritage: {{ .Release.Service }} |
| spec: |
| allowPrivilegeEscalation: true |
| allowedCapabilities: |
| - 'SYS_ADMIN' |
| fsGroup: |
| rule: RunAsAny |
| privileged: true |
| hostNetwork: true |
| hostPID: true |
| runAsUser: |
| rule: RunAsAny |
| seLinux: |
| rule: RunAsAny |
| supplementalGroups: |
| rule: RunAsAny |
| volumes: |
| - 'configMap' |
| - 'emptyDir' |
| - 'projected' |
| - 'secret' |
| - 'hostPath' |
| allowedHostPaths: |
| - pathPrefix: '/dev' |
| readOnly: false |
| - pathPrefix: '/run/mount' |
| readOnly: false |
| - pathPrefix: '/sys' |
| readOnly: false |
| - pathPrefix: '/etc/selinux' |
| readOnly: true |
| - pathPrefix: '/lib/modules' |
| readOnly: true |
| - pathPrefix: '{{ .Values.cephLogDirHostPath }}' |
| readOnly: false |
| - pathPrefix: '{{ .Values.kubeletDir }}' |
| readOnly: false |
| {{- end }} |