github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/psp.yaml (about) 1 {{- if .Values.global.podSecurityPolicy.enabled }} 2 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 3 apiVersion: policy/v1beta1 4 kind: PodSecurityPolicy 5 metadata: 6 name: {{ template "cert-manager.fullname" . }} 7 labels: 8 app: {{ include "cert-manager.name" . }} 9 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 10 app.kubernetes.io/instance: {{ .Release.Name }} 11 app.kubernetes.io/component: "controller" 12 {{- include "labels" . | nindent 4 }} 13 annotations: 14 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 15 seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 16 {{- if .Values.global.podSecurityPolicy.useAppArmor }} 17 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 18 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 19 {{- end }} 20 spec: 21 privileged: false 22 allowPrivilegeEscalation: false 23 allowedCapabilities: [] # default set of capabilities are implicitly allowed 24 volumes: 25 - 'configMap' 26 - 'emptyDir' 27 - 'projected' 28 - 'secret' 29 - 'downwardAPI' 30 hostNetwork: false 31 hostIPC: false 32 hostPID: false 33 runAsUser: 34 rule: 'MustRunAs' 35 ranges: 36 - min: 1000 37 max: 1000 38 seLinux: 39 rule: 'RunAsAny' 40 supplementalGroups: 41 rule: 'MustRunAs' 42 ranges: 43 - min: 1000 44 max: 1000 45 fsGroup: 46 rule: 'MustRunAs' 47 ranges: 48 - min: 1000 49 max: 1000 50 {{- end }} 51 {{- end }}