blob: 337b1b3418c869f5d4a25ce3c2190679e6e708a1 [file] [log] [blame]
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +00001{{- if and .Values.psp.create (.Capabilities.APIVersions.Has "policy/v1beta1") }}
2apiVersion: policy/v1beta1
3kind: PodSecurityPolicy
4metadata:
5 name: {{ include "vector.fullname" . }}
6 labels:
7 {{- include "vector.labels" . | nindent 4 }}
8spec:
9 privileged: false
10 allowPrivilegeEscalation: false
11 readOnlyRootFilesystem: false
12 requiredDropCapabilities:
13 - ALL
14 volumes:
15 - 'hostPath'
16 - 'configMap'
17 - 'emptyDir'
18 - 'secret'
19 - 'projected'
20 allowedHostPaths:
21 - pathPrefix: "/var/log"
22 readOnly: true
23 - pathPrefix: "/var/lib"
24 readOnly: true
25 - pathPrefix: {{ .Values.persistence.hostPath.path | quote }}
26 readOnly: false
27 - pathPrefix: "/sys"
28 readOnly: true
29 - pathPrefix: "/proc"
30 readOnly: true
Mohammed Naser7d1623e2024-06-17 09:12:39 -040031 hostNetwork: {{ .Values.podHostNetwork }}
Mohammed Naser8a2c8fb2023-02-19 17:23:55 +000032 hostIPC: false
33 hostPID: false
34 runAsUser:
35 rule: 'RunAsAny'
36 seLinux:
37 rule: 'RunAsAny'
38 supplementalGroups:
39 rule: 'MustRunAs'
40 ranges:
41 - min: 1
42 max: 65535
43 fsGroup:
44 rule: 'MustRunAs'
45 ranges:
46 - min: 1
47 max: 65535
48{{- end }}