mirror of
https://github.com/bitnami/charts.git
synced 2026-02-10 03:17:20 +08:00
f7961f2fc3
* [bitnami/fluentd] Make volume mount read-only Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com> * Update CHANGELOG.md Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com> --------- Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com> Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com> Co-authored-by: Bitnami Bot <bitnami.bot@broadcom.com>
74 lines
2.4 KiB
YAML
74 lines
2.4 KiB
YAML
{{- /*
|
|
Copyright Broadcom, Inc. All Rights Reserved.
|
|
SPDX-License-Identifier: APACHE-2.0
|
|
*/}}
|
|
|
|
{{- if and (include "common.capabilities.psp.supported" .) .Values.forwarder.enabled .Values.forwarder.rbac.create .Values.forwarder.rbac.pspEnabled }}
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: {{ printf "%s-forwarder" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
|
app.kubernetes.io/component: forwarder
|
|
{{- if .Values.commonAnnotations }}
|
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
privileged: false
|
|
allowPrivilegeEscalation: false
|
|
requiredDropCapabilities:
|
|
- ALL
|
|
allowedHostPaths:
|
|
- pathPrefix: '/var/lib/docker/containers'
|
|
readOnly: true
|
|
- pathPrefix: '/var/log'
|
|
readOnly: {{ .Values.varlog.readonly }}
|
|
volumes:
|
|
- 'configMap'
|
|
- 'emptyDir'
|
|
- 'projected'
|
|
- 'secret'
|
|
- 'downwardAPI'
|
|
- 'hostPath'
|
|
- 'persistentVolumeClaim'
|
|
hostNetwork: {{ .Values.forwarder.hostNetwork }}
|
|
hostIPC: false
|
|
hostPID: false
|
|
runAsUser:
|
|
{{- if eq (int .Values.forwarder.podSecurityContext.runAsUser) 0 }}
|
|
rule: 'RunAsAny'
|
|
{{- else }}
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
- min: {{ .Values.forwarder.podSecurityContext.runAsUser }}
|
|
max: {{ .Values.forwarder.podSecurityContext.runAsUser }}
|
|
{{- end }}
|
|
runAsGroup:
|
|
{{- if eq (int .Values.forwarder.podSecurityContext.runAsGroup) 0 }}
|
|
rule: 'RunAsAny'
|
|
{{- else }}
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
- min: {{ .Values.forwarder.podSecurityContext.runAsGroup }}
|
|
max: {{ .Values.forwarder.podSecurityContext.runAsGroup }}
|
|
{{- end }}
|
|
seLinux:
|
|
rule: 'RunAsAny'
|
|
supplementalGroups:
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
- min: 1
|
|
max: 65535
|
|
fsGroup:
|
|
{{- if eq (int .Values.forwarder.podSecurityContext.fsGroup) 0 }}
|
|
rule: 'RunAsAny'
|
|
{{- else }}
|
|
rule: 'MustRunAs'
|
|
ranges:
|
|
- min: {{ .Values.forwarder.podSecurityContext.fsGroup }}
|
|
max: {{ .Values.forwarder.podSecurityContext.fsGroup }}
|
|
{{- end }}
|
|
readOnlyRootFilesystem: {{ .Values.forwarder.containerSecurityContext.readOnlyRootFilesystem }}
|
|
{{- end }}
|