--- # Source: loki-stack/charts/grafana/templates/podsecuritypolicy.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: loki-grafana labels: helm.sh/chart: grafana-6.24.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: loki app.kubernetes.io/version: "8.3.5" app.kubernetes.io/managed-by: Helm annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: # Default set from Docker, with DAC_OVERRIDE and CHOWN - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'csi' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false