39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
|
|
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
|
|
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 25 }}
|
|
{{- if .Values.node.enabled }}
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: {{ include "falcon-sensor.fullname" . }}-node
|
|
labels:
|
|
app: {{ include "falcon-sensor.name" . }}
|
|
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
app.kubernetes.io/component: "container_sensor"
|
|
crowdstrike.com/provider: crowdstrike
|
|
helm.sh/chart: {{ include "falcon-sensor.chart" . }}
|
|
spec:
|
|
allowPrivilegeEscalation: true
|
|
readOnlyRootFilesystem: false
|
|
allowedCapabilities:
|
|
- '*'
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostIPC: true
|
|
hostNetwork: true
|
|
hostPID: true
|
|
privileged: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }} |