| Mohammed Naser | 8a2c8fb | 2023-02-19 17:23:55 +0000 | [diff] [blame] | 1 | {{- if .Values.rbac.pspEnabled }} |
| 2 | apiVersion: policy/v1beta1 |
| 3 | kind: PodSecurityPolicy |
| 4 | metadata: |
| 5 | name: {{ include "loki.name" . }} |
| 6 | labels: |
| 7 | {{- include "loki.labels" . | nindent 4 }} |
| Giovanni Tirloni | 59219b6 | 2024-04-09 14:50:25 -0300 | [diff] [blame] | 8 | {{- if .Values.rbac.pspAnnotations }} |
| 9 | annotations: |
| 10 | {{ toYaml .Values.rbac.pspAnnotations | indent 4 }} |
| 11 | {{- end }} |
| Mohammed Naser | 8a2c8fb | 2023-02-19 17:23:55 +0000 | [diff] [blame] | 12 | spec: |
| 13 | privileged: false |
| 14 | allowPrivilegeEscalation: false |
| 15 | volumes: |
| 16 | - 'configMap' |
| 17 | - 'emptyDir' |
| 18 | - 'persistentVolumeClaim' |
| 19 | - 'secret' |
| Giovanni Tirloni | 59219b6 | 2024-04-09 14:50:25 -0300 | [diff] [blame] | 20 | - 'projected' |
| Mohammed Naser | 8a2c8fb | 2023-02-19 17:23:55 +0000 | [diff] [blame] | 21 | hostNetwork: false |
| 22 | hostIPC: false |
| 23 | hostPID: false |
| 24 | runAsUser: |
| 25 | rule: 'MustRunAsNonRoot' |
| 26 | seLinux: |
| 27 | rule: 'RunAsAny' |
| 28 | supplementalGroups: |
| 29 | rule: 'MustRunAs' |
| 30 | ranges: |
| 31 | - min: 1 |
| 32 | max: 65535 |
| 33 | fsGroup: |
| 34 | rule: 'MustRunAs' |
| 35 | ranges: |
| 36 | - min: 1 |
| 37 | max: 65535 |
| 38 | readOnlyRootFilesystem: true |
| 39 | requiredDropCapabilities: |
| 40 | - ALL |
| 41 | {{- end }} |