k8s/loki/loki-stack/charts/prometheus/templates/node-exporter/psp.yaml

{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }}
apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
  name: {{ template "prometheus.nodeExporter.fullname" . }}
  labels:
    {{- include "prometheus.nodeExporter.labels" . | nindent 4 }}
  annotations:
{{- if .Values.nodeExporter.podSecurityPolicy.annotations }}
{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }}
{{- end }}
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'hostPath'
    - 'secret'
  allowedHostPaths:
    - pathPrefix: /proc
      readOnly: true
    - pathPrefix: /sys
      readOnly: true
    - pathPrefix: /
      readOnly: true
  {{- range .Values.nodeExporter.extraHostPathMounts }}
    - pathPrefix: {{ .hostPath }}
      readOnly: {{ .readOnly }}
  {{- end }}
  hostNetwork: {{ .Values.nodeExporter.hostNetwork }}
  hostPID: {{ .Values.nodeExporter.hostPID }}
  hostIPC: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
  hostPorts:
    - min: 1
      max: 65535
{{- end }}