| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- {{- if .Values.rbac.pspEnabled }}
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- name: {{ template "grafana.fullname" . }}
- namespace: {{ template "grafana.namespace" . }}
- labels:
- {{- include "grafana.labels" . | nindent 4 }}
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- {{- if .Values.rbac.pspUseAppArmor }}
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- {{- end }}
- spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- # Default set from Docker, without DAC_OVERRIDE or CHOWN
- - FOWNER
- - FSETID
- - KILL
- - SETGID
- - SETUID
- - SETPCAP
- - NET_BIND_SERVICE
- - NET_RAW
- - SYS_CHROOT
- - MKNOD
- - AUDIT_WRITE
- - SETFCAP
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
- readOnlyRootFilesystem: false
- {{- end }}
|
