| Giorgi Lekveishvili | d1234c1 | 2023-06-19 10:37:06 +0400 | [diff] [blame] | 1 | {{- if .Values.global.podSecurityPolicy.enabled }} |
| 2 | apiVersion: policy/v1beta1 |
| 3 | kind: PodSecurityPolicy |
| 4 | metadata: |
| 5 | name: {{ template "webhook.fullname" . }} |
| 6 | labels: |
| 7 | app: {{ include "webhook.name" . }} |
| 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} |
| 9 | app.kubernetes.io/instance: {{ .Release.Name }} |
| 10 | app.kubernetes.io/component: "webhook" |
| 11 | {{- include "labels" . | nindent 4 }} |
| 12 | annotations: |
| 13 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' |
| 14 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' |
| 15 | {{- if .Values.global.podSecurityPolicy.useAppArmor }} |
| 16 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
| 17 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
| 18 | {{- end }} |
| 19 | spec: |
| 20 | privileged: false |
| 21 | allowPrivilegeEscalation: false |
| 22 | allowedCapabilities: [] # default set of capabilities are implicitly allowed |
| 23 | volumes: |
| 24 | - 'configMap' |
| 25 | - 'emptyDir' |
| 26 | - 'projected' |
| 27 | - 'secret' |
| 28 | - 'downwardAPI' |
| 29 | hostNetwork: {{ .Values.webhook.hostNetwork }} |
| 30 | {{- if .Values.webhook.hostNetwork }} |
| 31 | hostPorts: |
| 32 | - max: {{ .Values.webhook.securePort }} |
| 33 | min: {{ .Values.webhook.securePort }} |
| 34 | {{- end }} |
| 35 | hostIPC: false |
| 36 | hostPID: false |
| 37 | runAsUser: |
| 38 | rule: 'MustRunAs' |
| 39 | ranges: |
| 40 | - min: 1000 |
| 41 | max: 1000 |
| 42 | seLinux: |
| 43 | rule: 'RunAsAny' |
| 44 | supplementalGroups: |
| 45 | rule: 'MustRunAs' |
| 46 | ranges: |
| 47 | - min: 1000 |
| 48 | max: 1000 |
| 49 | fsGroup: |
| 50 | rule: 'MustRunAs' |
| 51 | ranges: |
| 52 | - min: 1000 |
| 53 | max: 1000 |
| 54 | {{- end }} |