rancher-partner-charts/charts/dynatrace-oneagent-operator/templates/Kubernetes/podsecuritypolicy-webhook.yaml

# Copyright 2019 Dynatrace LLC

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

{{- $platformIsSet := printf "%s" (required "Platform needs to be set to kubernetes or openshift" (include "dynatrace-oneagent-operator.platformSet" .))}}
{{- if eq .Values.platform "kubernetes" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: dynatrace-oneagent-webhook
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "docker/default"
    apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"
    seccomp.security.alpha.kubernetes.io/defaultProfileName: "docker/default"
    apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"
spec:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  requiredDropCapabilities:
    - ALL
  volumes:
    - "configMap"
    - "emptyDir"
    - "projected"
    - "secret"
    - "downwardAPI"
    - "persistentVolumeClaim"
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: "MustRunAsNonRoot"
  seLinux:
    rule: "RunAsAny"
  supplementalGroups:
    rule: "RunAsAny"
  fsGroup:
    rule: "RunAsAny"
{{ end }}
Generated changes 2020-09-25 18:35:57 +00:00			`# Copyright 2019 Dynatrace LLC`

			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`

			`# http://www.apache.org/licenses/LICENSE-2.0`

			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`{{- $platformIsSet := printf "%s" (required "Platform needs to be set to kubernetes or openshift" (include "dynatrace-oneagent-operator.platformSet" .))}}`
			`{{- if eq .Values.platform "kubernetes" }}`
			`apiVersion: policy/v1beta1`
			`kind: PodSecurityPolicy`
			`metadata:`
			`name: dynatrace-oneagent-webhook`
			`annotations:`
			`seccomp.security.alpha.kubernetes.io/allowedProfileNames: "docker/default"`
			`apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"`
			`seccomp.security.alpha.kubernetes.io/defaultProfileName: "docker/default"`
			`apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"`
			`spec:`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`requiredDropCapabilities:`
			`- ALL`
			`volumes:`
			`- "configMap"`
			`- "emptyDir"`
			`- "projected"`
			`- "secret"`
			`- "downwardAPI"`
			`- "persistentVolumeClaim"`
			`hostNetwork: false`
			`hostIPC: false`
			`hostPID: false`
			`runAsUser:`
			`rule: "MustRunAsNonRoot"`
			`seLinux:`
			`rule: "RunAsAny"`
			`supplementalGroups:`
			`rule: "RunAsAny"`
			`fsGroup:`
			`rule: "RunAsAny"`
			`{{ end }}`