charts/ingress-nginx/templates/controller-psp.yaml - pcloud - Gitiles

 {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
 {{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
     {{- with .Values.controller.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   allowedCapabilities:
     - NET_BIND_SERVICE
   {{- if .Values.controller.image.chroot }}
     - SYS_CHROOT
   {{- end }}
 {{- if .Values.controller.sysctls }}
   allowedUnsafeSysctls:
   {{- range $sysctl, $value := .Values.controller.sysctls }}
   - {{ $sysctl }}
   {{- end }}
 {{- end }}
   privileged: false
   allowPrivilegeEscalation: true
   # Allow core volume types.
   volumes:
     - 'configMap'
     - 'emptyDir'
     - 'projected'
     - 'secret'
     - 'downwardAPI'
 {{- if .Values.controller.hostNetwork }}
   hostNetwork: {{ .Values.controller.hostNetwork }}
 {{- end }}
 {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
   hostPorts:
 {{- if .Values.controller.hostNetwork }}
 {{- range $key, $value := .Values.controller.containerPort }}
   # {{ $key }}
   - min: {{ $value }}
     max: {{ $value }}
 {{- end }}
 {{- else if .Values.controller.hostPort.enabled }}
 {{- range $key, $value := .Values.controller.hostPort.ports }}
   # {{ $key }}
   - min: {{ $value }}
     max: {{ $value }}
 {{- end }}
 {{- end }}
 {{- if .Values.controller.metrics.enabled }}
   # metrics
   - min: {{ .Values.controller.metrics.port }}
     max: {{ .Values.controller.metrics.port }}
 {{- end }}
 {{- if .Values.controller.admissionWebhooks.enabled }}
   # admission webhooks
   - min: {{ .Values.controller.admissionWebhooks.port }}
     max: {{ .Values.controller.admissionWebhooks.port }}
 {{- end }}
 {{- range $key, $value := .Values.tcp }}
   # {{ $key }}-tcp
   - min: {{ $key }}
     max: {{ $key }}
 {{- end }}
 {{- range $key, $value := .Values.udp }}
   # {{ $key }}-udp
   - min: {{ $key }}
     max: {{ $key }}
 {{- end }}
 {{- end }}
   hostIPC: false
   hostPID: false
   runAsUser:
     # Require the container to run without root privileges.
     rule: 'MustRunAsNonRoot'
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:
       # Forbid adding the root group.
       - min: 1
         max: 65535
   fsGroup:
     rule: 'MustRunAs'
     ranges:
       # Forbid adding the root group.
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
   seLinux:
     rule: 'RunAsAny'
 {{- end }}
 {{- end }}
	{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
	{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: {{ include "ingress-nginx.fullname" . }}
	labels:
	{{- include "ingress-nginx.labels" . \| nindent 4 }}
	app.kubernetes.io/component: controller
	{{- with .Values.controller.labels }}
	{{- toYaml . \| nindent 4 }}
	{{- end }}
	spec:
	allowedCapabilities:
	- NET_BIND_SERVICE
	{{- if .Values.controller.image.chroot }}
	- SYS_CHROOT
	{{- end }}
	{{- if .Values.controller.sysctls }}
	allowedUnsafeSysctls:
	{{- range $sysctl, $value := .Values.controller.sysctls }}
	- {{ $sysctl }}
	{{- end }}
	{{- end }}
	privileged: false
	allowPrivilegeEscalation: true
	# Allow core volume types.
	volumes:
	- 'configMap'
	- 'emptyDir'
	- 'projected'
	- 'secret'
	- 'downwardAPI'
	{{- if .Values.controller.hostNetwork }}
	hostNetwork: {{ .Values.controller.hostNetwork }}
	{{- end }}
	{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
	hostPorts:
	{{- if .Values.controller.hostNetwork }}
	{{- range $key, $value := .Values.controller.containerPort }}
	# {{ $key }}
	- min: {{ $value }}
	max: {{ $value }}
	{{- end }}
	{{- else if .Values.controller.hostPort.enabled }}
	{{- range $key, $value := .Values.controller.hostPort.ports }}
	# {{ $key }}
	- min: {{ $value }}
	max: {{ $value }}
	{{- end }}
	{{- end }}
	{{- if .Values.controller.metrics.enabled }}
	# metrics
	- min: {{ .Values.controller.metrics.port }}
	max: {{ .Values.controller.metrics.port }}
	{{- end }}
	{{- if .Values.controller.admissionWebhooks.enabled }}
	# admission webhooks
	- min: {{ .Values.controller.admissionWebhooks.port }}
	max: {{ .Values.controller.admissionWebhooks.port }}
	{{- end }}
	{{- range $key, $value := .Values.tcp }}
	# {{ $key }}-tcp
	- min: {{ $key }}
	max: {{ $key }}
	{{- end }}
	{{- range $key, $value := .Values.udp }}
	# {{ $key }}-udp
	- min: {{ $key }}
	max: {{ $key }}
	{{- end }}
	{{- end }}
	hostIPC: false
	hostPID: false
	runAsUser:
	# Require the container to run without root privileges.
	rule: 'MustRunAsNonRoot'
	supplementalGroups:
	rule: 'MustRunAs'
	ranges:
	# Forbid adding the root group.
	- min: 1
	max: 65535
	fsGroup:
	rule: 'MustRunAs'
	ranges:
	# Forbid adding the root group.
	- min: 1
	max: 65535
	readOnlyRootFilesystem: false
	seLinux:
	rule: 'RunAsAny'
	{{- end }}
	{{- end }}