57 lines
1.3 KiB
YAML
57 lines
1.3 KiB
YAML
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 25 }}
|
|
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
|
|
{{- if .Values.container.enabled }}
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: {{ include "falcon-sensor.fullname" . }}-container
|
|
labels:
|
|
app: {{ include "falcon-sensor.name" . }}
|
|
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
app.kubernetes.io/component: "container_sensor"
|
|
crowdstrike.com/provider: crowdstrike
|
|
helm.sh/chart: {{ include "falcon-sensor.chart" . }}
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
requiredDropCapabilities:
|
|
- KILL
|
|
- MKNOD
|
|
- SYS_CHROOT
|
|
- AUDIT_WRITE
|
|
- CHOWN
|
|
- FOWNER
|
|
- FSETID
|
|
- NET_BIND_SERVICE
|
|
- NET_RAW
|
|
- SETPCAP
|
|
allowedCapabilities:
|
|
- SYS_PTRACE
|
|
- DAC_OVERRIDE
|
|
- SETUID
|
|
- SETGID
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostIPC: false
|
|
hostNetwork: false
|
|
hostPID: false
|
|
privileged: false
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- persistentVolumeClaim
|
|
- projected
|
|
- secret
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|