elastic · krichter722 · Mar 15, 2020 · jmlrt · Jun 16, 2020 · jmlrt
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
@@ -114,6 +114,7 @@ podSecurityPolicy:
       - secret
       - configMap
       - persistentVolumeClaim
+      - projected
 
 persistence:
   enabled: true

diff --git a/logstash/values.yaml b/logstash/values.yaml
@@ -89,6 +89,7 @@ podSecurityPolicy:
       - secret
       - configMap
       - persistentVolumeClaim
+      - projected
 
 persistence:
   enabled: false

diff --git a/metricbeat/templates/podsecuritypolicy.yaml b/metricbeat/templates/podsecuritypolicy.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.podSecurityPolicy.create -}}
+{{- $fullName := include "metricbeat.fullname" . -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ default $fullName .Values.podSecurityPolicy.name | quote }}
+  labels:
+    app: "{{ template "metricbeat.fullname" . }}"
+    chart: "{{ .Chart.Name }}"
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+spec:
+{{ toYaml .Values.podSecurityPolicy.spec | indent 2 }}
+{{- end -}}
diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml
@@ -218,6 +218,25 @@ clusterRoleRules:
   - nodes/stats
   verbs: ["get"]
 
+podSecurityPolicy:
+  create: false
+  name: ""
+  spec:
+    privileged: true
+    fsGroup:
+      rule: RunAsAny
+    runAsUser:
+      rule: RunAsAny
+    seLinux:
+      rule: RunAsAny
+    supplementalGroups:
+      rule: RunAsAny
+    volumes:
+      - secret
+      - configMap
+      - persistentVolumeClaim
+      - projected
+
 podAnnotations: {}
   # iam.amazonaws.com/role: es-cluster