| {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} |
| {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: {{ include "ingress-nginx.fullname" . }}-admission |
| annotations: |
| "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade |
| "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded |
| labels: |
| {{- include "ingress-nginx.labels" . | nindent 4 }} |
| app.kubernetes.io/component: admission-webhook |
| {{- with .Values.controller.admissionWebhooks.patch.labels }} |
| {{- toYaml . | nindent 4 }} |
| {{- end }} |
| spec: |
| allowPrivilegeEscalation: false |
| fsGroup: |
| ranges: |
| - max: 65535 |
| min: 1 |
| rule: MustRunAs |
| requiredDropCapabilities: |
| - ALL |
| runAsUser: |
| rule: MustRunAsNonRoot |
| seLinux: |
| rule: RunAsAny |
| supplementalGroups: |
| ranges: |
| - max: 65535 |
| min: 1 |
| rule: MustRunAs |
| volumes: |
| - configMap |
| - emptyDir |
| - projected |
| - secret |
| - downwardAPI |
| {{- end }} |
| {{- end }} |