{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} {{- if and $pspAvailable .Values.psp.create .Values.controller.psp.create -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ printf "%s-controller" (include "common.names.fullname" .) }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: controller {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: allowPrivilegeEscalation: {{ .Values.controller.containerSecurityContext.allowPrivilegeEscalation }} allowedCapabilities: [] allowedHostPaths: [] defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: {{ .Values.controller.containerSecurityContext.allowPrivilegeEscalation }} fsGroup: ranges: - max: {{ .Values.controller.podSecurityContext.fsGroup }} min: {{ .Values.controller.podSecurityContext.fsGroup }} rule: MustRunAs hostIPC: false hostNetwork: false hostPID: false privileged: false readOnlyRootFilesystem: {{ .Values.controller.containerSecurityContext.readOnlyRootFilesystem }} requiredDropCapabilities: {{- toYaml .Values.controller.containerSecurityContext.capabilities.drop | nindent 2 }} runAsUser: ranges: - max: {{ .Values.controller.containerSecurityContext.runAsUser }} min: {{ .Values.controller.containerSecurityContext.runAsUser }} rule: MustRunAs seLinux: rule: RunAsAny supplementalGroups: ranges: - max: {{ .Values.controller.containerSecurityContext.runAsUser }} min: {{ .Values.controller.containerSecurityContext.runAsUser }} rule: MustRunAs volumes: - configMap - secret - emptyDir {{- end -}}