| {{- if and .Values.psp.create (.Capabilities.APIVersions.Has "policy/v1beta1") }} |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: {{ include "vector.fullname" . }} |
| labels: |
| {{- include "vector.labels" . | nindent 4 }} |
| spec: |
| privileged: false |
| allowPrivilegeEscalation: false |
| readOnlyRootFilesystem: false |
| requiredDropCapabilities: |
| - ALL |
| volumes: |
| - 'hostPath' |
| - 'configMap' |
| - 'emptyDir' |
| - 'secret' |
| - 'projected' |
| allowedHostPaths: |
| - pathPrefix: "/var/log" |
| readOnly: true |
| - pathPrefix: "/var/lib" |
| readOnly: true |
| - pathPrefix: {{ .Values.persistence.hostPath.path | quote }} |
| readOnly: false |
| - pathPrefix: "/sys" |
| readOnly: true |
| - pathPrefix: "/proc" |
| readOnly: true |
| hostNetwork: false |
| hostIPC: false |
| hostPID: false |
| runAsUser: |
| rule: 'RunAsAny' |
| seLinux: |
| rule: 'RunAsAny' |
| supplementalGroups: |
| rule: 'MustRunAs' |
| ranges: |
| - min: 1 |
| max: 65535 |
| fsGroup: |
| rule: 'MustRunAs' |
| ranges: |
| - min: 1 |
| max: 65535 |
| {{- end }} |