| Mohammed Naser | 9ad0d46 | 2023-01-15 20:36:37 -0500 | [diff] [blame] | 1 | {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} |
| 2 | {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} |
| 3 | apiVersion: policy/v1beta1 |
| 4 | kind: PodSecurityPolicy |
| 5 | metadata: |
| 6 | name: {{ template "kube-prometheus-stack.fullname" . }}-alertmanager |
| 7 | labels: |
| 8 | app: {{ template "kube-prometheus-stack.name" . }}-alertmanager |
| 9 | {{- if .Values.global.rbac.pspAnnotations }} |
| 10 | annotations: |
| 11 | {{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }} |
| 12 | {{- end }} |
| 13 | {{ include "kube-prometheus-stack.labels" . | indent 4 }} |
| 14 | spec: |
| 15 | privileged: false |
| 16 | # Allow core volume types. |
| 17 | volumes: |
| 18 | - 'configMap' |
| 19 | - 'emptyDir' |
| 20 | - 'projected' |
| 21 | - 'secret' |
| 22 | - 'downwardAPI' |
| 23 | - 'persistentVolumeClaim' |
| 24 | hostNetwork: false |
| 25 | hostIPC: false |
| 26 | hostPID: false |
| 27 | runAsUser: |
| 28 | # Permits the container to run with root privileges as well. |
| 29 | rule: 'RunAsAny' |
| 30 | seLinux: |
| 31 | # This policy assumes the nodes are using AppArmor rather than SELinux. |
| 32 | rule: 'RunAsAny' |
| 33 | supplementalGroups: |
| 34 | rule: 'MustRunAs' |
| 35 | ranges: |
| 36 | # Allow adding the root group. |
| 37 | - min: 0 |
| 38 | max: 65535 |
| 39 | fsGroup: |
| 40 | rule: 'MustRunAs' |
| 41 | ranges: |
| 42 | # Allow adding the root group. |
| 43 | - min: 0 |
| 44 | max: 65535 |
| 45 | readOnlyRootFilesystem: false |
| 46 | {{- end }} |
| 47 | {{- end }} |