Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 69ff759f4e5bafc74f80cb2b72e4e417ec2edbbb / . / charts / ingress-nginx / templates / admission-webhooks / job-patch / psp.yaml
blob: e19c955724f57868b6bdcf3ef7c491850d5adebb [file] [log] [blame]
Giorgi Lekveishvilicccf72f2023-05-19 16:13:22 +0400[diff] [blame]1{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
Giorgi Lekveishvili725bb392023-05-05 18:24:27 +0400[diff] [blame]2{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
3apiVersion: policy/v1beta1
4kind: PodSecurityPolicy
5metadata:
6 name: {{ include "ingress-nginx.fullname" . }}-admission
7 annotations:
8 "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
9 "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
10 labels:
11 {{- include "ingress-nginx.labels" . | nindent 4 }}
12 app.kubernetes.io/component: admission-webhook
Giorgi Lekveishvilicccf72f2023-05-19 16:13:22 +0400[diff] [blame]13 {{- with .Values.controller.admissionWebhooks.patch.labels }}
14 {{- toYaml . | nindent 4 }}
15 {{- end }}
Giorgi Lekveishvili725bb392023-05-05 18:24:27 +0400[diff] [blame]16spec:
17 allowPrivilegeEscalation: false
18 fsGroup:
19 ranges:
20 - max: 65535
21 min: 1
22 rule: MustRunAs
23 requiredDropCapabilities:
24 - ALL
25 runAsUser:
26 rule: MustRunAsNonRoot
27 seLinux:
28 rule: RunAsAny
29 supplementalGroups:
30 ranges:
31 - max: 65535
32 min: 1
33 rule: MustRunAs
34 volumes:
35 - configMap
36 - emptyDir
37 - projected
38 - secret
39 - downwardAPI
40{{- end }}
Giorgi Lekveishvilicccf72f2023-05-19 16:13:22 +0400[diff] [blame]41{{- end }}