Refactor Distributed Analytics project structure

[demo.git] / vnfs / DAaaS / deploy / collection / charts / prometheus-node-exporter / templates / psp.yaml

diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus-node-exporter/templates/psp.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus-node-exporter/templates/psp.yaml
new file mode 100755 (executable)
index 0000000..1fa6f28
--- /dev/null
+++ b/vnfs/DAaaS/deploy/collection/charts/prometheus-node-exporter/templates/psp.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.rbac.create }}
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }}
+  name: {{ template "prometheus-node-exporter.fullname" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  # allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  #requiredDropCapabilities:
+  #  - ALL
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+    - 'hostPath'
+  hostNetwork: true
+  hostIPC: false
+  hostPID: true
+  hostPorts:
+    - min: 0
+      max: 65535
+  runAsUser:
+    # Permits the container to run with root privileges as well.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}