| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 |
- {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
- apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
- kind: PodSecurityPolicy
- metadata:
- name: {{ template "prometheus.alertmanager.fullname" . }}
- labels:
- {{- include "prometheus.alertmanager.labels" . | nindent 4 }}
- annotations:
- {{- if .Values.alertmanager.podSecurityPolicy.annotations }}
- {{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }}
- {{- end }}
- spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'persistentVolumeClaim'
- - 'emptyDir'
- - 'secret'
- allowedHostPaths:
- - pathPrefix: /etc
- readOnly: true
- - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }}
- hostNetwork: false
- hostPID: false
- hostIPC: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- readOnlyRootFilesystem: true
- {{- end }}
|
