Blame - charts/ingress-nginx/templates/controller-psp.yaml - pcloud

blob: bdb856310522ef982c834ee83ffc335cd90774c2 [file] [log] [blame]

Giorgi Lekveishvili	725bb39	2023-05-05 18:24:27 +0400	[diff] [blame]	1	{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
				2	apiVersion: policy/v1beta1
				3	kind: PodSecurityPolicy
				4	metadata:
				5	name: {{ include "ingress-nginx.fullname" . }}
				6	labels:
				7	{{- include "ingress-nginx.labels" . \| nindent 4 }}
				8	app.kubernetes.io/component: controller
				9	spec:
				10	allowedCapabilities:
				11	- NET_BIND_SERVICE
				12	{{- if .Values.controller.sysctls }}
				13	allowedUnsafeSysctls:
				14	{{- range $sysctl, $value := .Values.controller.sysctls }}
				15	- {{ $sysctl }}
				16	{{- end }}
				17	{{- end }}
				18	privileged: false
				19	allowPrivilegeEscalation: true
				20	# Allow core volume types.
				21	volumes:
				22	- 'configMap'
				23	- 'emptyDir'
				24	#- 'projected'
				25	- 'secret'
				26	#- 'downwardAPI'
				27	{{- if .Values.controller.hostNetwork }}
				28	hostNetwork: {{ .Values.controller.hostNetwork }}
				29	{{- end }}
				30	{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
				31	hostPorts:
				32	{{- if .Values.controller.hostNetwork }}
				33	{{- range $key, $value := .Values.controller.containerPort }}
				34	# {{ $key }}
				35	- min: {{ $value }}
				36	max: {{ $value }}
				37	{{- end }}
				38	{{- else if .Values.controller.hostPort.enabled }}
				39	{{- range $key, $value := .Values.controller.hostPort.ports }}
				40	# {{ $key }}
				41	- min: {{ $value }}
				42	max: {{ $value }}
				43	{{- end }}
				44	{{- end }}
				45	{{- if .Values.controller.metrics.enabled }}
				46	# metrics
				47	- min: {{ .Values.controller.metrics.port }}
				48	max: {{ .Values.controller.metrics.port }}
				49	{{- end }}
				50	{{- if .Values.controller.admissionWebhooks.enabled }}
				51	# admission webhooks
				52	- min: {{ .Values.controller.admissionWebhooks.port }}
				53	max: {{ .Values.controller.admissionWebhooks.port }}
				54	{{- end }}
				55	{{- range $key, $value := .Values.tcp }}
				56	# {{ $key }}-tcp
				57	- min: {{ $key }}
				58	max: {{ $key }}
				59	{{- end }}
				60	{{- range $key, $value := .Values.udp }}
				61	# {{ $key }}-udp
				62	- min: {{ $key }}
				63	max: {{ $key }}
				64	{{- end }}
				65	{{- end }}
				66	hostIPC: false
				67	hostPID: false
				68	runAsUser:
				69	# Require the container to run without root privileges.
				70	rule: 'MustRunAsNonRoot'
				71	supplementalGroups:
				72	rule: 'MustRunAs'
				73	ranges:
				74	# Forbid adding the root group.
				75	- min: 1
				76	max: 65535
				77	fsGroup:
				78	rule: 'MustRunAs'
				79	ranges:
				80	# Forbid adding the root group.
				81	- min: 1
				82	max: 65535
				83	readOnlyRootFilesystem: false
				84	seLinux:
				85	rule: 'RunAsAny'
				86	{{- end }}