github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/cainjector-psp.yaml (about) 1 {{- if .Values.cainjector.enabled }} 2 {{- if .Values.global.podSecurityPolicy.enabled }} 3 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 4 apiVersion: policy/v1beta1 5 kind: PodSecurityPolicy 6 metadata: 7 name: {{ template "cainjector.fullname" . }} 8 labels: 9 app: {{ include "cainjector.name" . }} 10 app.kubernetes.io/name: {{ include "cainjector.name" . }} 11 app.kubernetes.io/instance: {{ .Release.Name }} 12 app.kubernetes.io/component: "cainjector" 13 {{- include "labels" . | nindent 4 }} 14 annotations: 15 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 16 seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 17 {{- if .Values.global.podSecurityPolicy.useAppArmor }} 18 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 19 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 20 {{- end }} 21 spec: 22 privileged: false 23 allowPrivilegeEscalation: false 24 allowedCapabilities: [] # default set of capabilities are implicitly allowed 25 volumes: 26 - 'configMap' 27 - 'emptyDir' 28 - 'projected' 29 - 'secret' 30 - 'downwardAPI' 31 hostNetwork: false 32 hostIPC: false 33 hostPID: false 34 runAsUser: 35 rule: 'MustRunAs' 36 ranges: 37 - min: 1000 38 max: 1000 39 seLinux: 40 rule: 'RunAsAny' 41 supplementalGroups: 42 rule: 'MustRunAs' 43 ranges: 44 - min: 1000 45 max: 1000 46 fsGroup: 47 rule: 'MustRunAs' 48 ranges: 49 - min: 1000 50 max: 1000 51 {{- end }} 52 {{- end }} 53 {{- end }}