Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / d1234c13f83eb9f7b901168c1f1724f344870de2^! / . / charts / cert-manager / templates / startupapicheck-psp.yaml
commitd1234c13f83eb9f7b901168c1f1724f344870de2[log] [tgz]
authorGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Mon Jun 19 10:37:06 2023 +0400
committerGiorgi Lekveishvili <lekva@gl-mbp-m1-max.local>Mon Jun 19 10:37:06 2023 +0400
tree2bd19030f55478024f03cd3e52429f6dceeea21f
parent045c2b93e9ff64cded9d5cf5db1f31f50966453b [diff] [blame]
charts: cert manager

diff --git a/charts/cert-manager/templates/startupapicheck-psp.yaml b/charts/cert-manager/templates/startupapicheck-psp.yaml
new file mode 100644
index 0000000..f09d60d
--- /dev/null
+++ b/charts/cert-manager/templates/startupapicheck-psp.yaml

@@ -0,0 +1,51 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "startupapicheck.fullname" . }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
+    {{- with .Values.startupapicheck.rbac.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'projected'
+  - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
+{{- end }}