1234567891011121314151617181920212223242526272829303132333435363738394041 |
- {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
- {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- name: {{ include "ingress-nginx.fullname" . }}-admission
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
- labels:
- {{- include "ingress-nginx.labels" . | nindent 4 }}
- app.kubernetes.io/component: admission-webhook
- {{- with .Values.controller.admissionWebhooks.patch.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- spec:
- allowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: MustRunAsNonRoot
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - emptyDir
- - projected
- - secret
- - downwardAPI
- {{- end }}
- {{- end }}
|