update
diff --git a/charts/cert-manager/templates/psp.yaml b/charts/cert-manager/templates/psp.yaml
new file mode 100644
index 0000000..9e99f5c
--- /dev/null
+++ b/charts/cert-manager/templates/psp.yaml
@@ -0,0 +1,49 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "cert-manager.fullname" . }}
+ labels:
+ app: {{ include "cert-manager.name" . }}
+ app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/component: "controller"
+ {{- include "labels" . | nindent 4 }}
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+ {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+ apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+ apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
+ {{- end }}
+spec:
+ privileged: false
+ allowPrivilegeEscalation: false
+ allowedCapabilities: [] # default set of capabilities are implicitly allowed
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'projected'
+ - 'secret'
+ - 'downwardAPI'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1000
+ max: 1000
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1000
+ max: 1000
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1000
+ max: 1000
+{{- end }}