easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1060 from ArthurSens/as/psp-addon-fixes

Browse Source 
PodSecurityPolicy uses role instead of clusterRole where posible
This commit is contained in:
Frederic Branczyk
2021-03-30 13:33:48 +02:00
committed by GitHub
parent dafa0f8edd c9b52c97f5
commit f5f72e1b50
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
View File

@@ -2,7 +2,7 @@ local restrictedPodSecurityPolicy = {
apiVersion: 'policy/v1beta1', apiVersion: 'policy/v1beta1',
kind: 'PodSecurityPolicy', kind: 'PodSecurityPolicy',
metadata: { metadata: {
name: 'restricted', name: 'kube-prometheus-restricted',
}, },
spec: { spec: {
privileged: false, privileged: false,
@@ -54,9 +54,9 @@ local restrictedPodSecurityPolicy = {
restrictedPodSecurityPolicy: restrictedPodSecurityPolicy, restrictedPodSecurityPolicy: restrictedPodSecurityPolicy,
alertmanager+: { alertmanager+: {
clusterRole: { role: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole', kind: 'Role',
metadata: { metadata: {
name: 'alertmanager-' + $.values.alertmanager.name, name: 'alertmanager-' + $.values.alertmanager.name,
}, },
@@ -68,15 +68,15 @@ local restrictedPodSecurityPolicy = {
}], }],
}, },
clusterRoleBinding: { roleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding', kind: 'RoleBinding',
metadata: { metadata: {
name: 'alertmanager-' + $.values.alertmanager.name, name: 'alertmanager-' + $.values.alertmanager.name,
}, },
roleRef: { roleRef: {
apiGroup: 'rbac.authorization.k8s.io', apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole', kind: 'Role',
name: 'alertmanager-' + $.values.alertmanager.name, name: 'alertmanager-' + $.values.alertmanager.name,
}, },
subjects: [{ subjects: [{
@@ -121,9 +121,9 @@ local restrictedPodSecurityPolicy = {
}, },
grafana+: { grafana+: {
clusterRole: { role: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole', kind: 'Role',
metadata: { metadata: {
name: 'grafana', name: 'grafana',
}, },
@@ -135,15 +135,15 @@ local restrictedPodSecurityPolicy = {
}], }],
}, },
clusterRoleBinding: { roleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding', kind: 'RoleBinding',
metadata: { metadata: {
name: 'grafana', name: 'grafana',
}, },
roleRef: { roleRef: {
apiGroup: 'rbac.authorization.k8s.io', apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole', kind: 'Role',
name: 'grafana', name: 'grafana',
}, },
subjects: [{ subjects: [{