| 1234567891011121314151617181920212223242526272829303132333435363738 |
- {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
- {{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- name: {{ include "ingress-nginx.fullname" . }}-backend
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: default-backend
- {{- with .Values.defaultBackend.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- spec:
- allowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: MustRunAsNonRoot
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - emptyDir
- - projected
- - secret
- - downwardAPI
- {{- end }}
- {{- end }}
|
