1 {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
2 apiVersion: policy/v1beta1
3 kind: PodSecurityPolicy
5 name: {{ template "prometheus-operator.fullname" . }}-prometheus
7 app: {{ template "prometheus-operator.name" . }}-prometheus
8 {{ include "prometheus-operator.labels" . | indent 4 }}
11 # Required to prevent escalations to root.
12 # allowPrivilegeEscalation: false
13 # This is redundant with non-root + disallow privilege escalation,
14 # but we can provide it for defense in depth.
15 #requiredDropCapabilities:
17 # Allow core volume types.
24 - 'persistentVolumeClaim'
29 # Permits the container to run with root privileges as well.
32 # This policy assumes the nodes are using AppArmor rather than SELinux.
37 # Forbid adding the root group.
43 # Forbid adding the root group.
46 readOnlyRootFilesystem: false