github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/psp.yaml (about)

     1  {{- if .Values.global.podSecurityPolicy.enabled }}
     2  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
     3  apiVersion: policy/v1beta1
     4  kind: PodSecurityPolicy
     5  metadata:
     6    name: {{ template "cert-manager.fullname" . }}
     7    labels:
     8      app: {{ include "cert-manager.name" . }}
     9      app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    10      app.kubernetes.io/instance: {{ .Release.Name }}
    11      app.kubernetes.io/component: "controller"
    12      {{- include "labels" . | nindent 4 }}
    13    annotations:
    14      seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    15      seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    16      {{- if .Values.global.podSecurityPolicy.useAppArmor }}
    17      apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    18      apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    19      {{- end }}
    20  spec:
    21    privileged: false
    22    allowPrivilegeEscalation: false
    23    allowedCapabilities: []  # default set of capabilities are implicitly allowed
    24    volumes:
    25    - 'configMap'
    26    - 'emptyDir'
    27    - 'projected'
    28    - 'secret'
    29    - 'downwardAPI'
    30    hostNetwork: false
    31    hostIPC: false
    32    hostPID: false
    33    runAsUser:
    34      rule: 'MustRunAs'
    35      ranges:
    36      - min: 1000
    37        max: 1000
    38    seLinux:
    39      rule: 'RunAsAny'
    40    supplementalGroups:
    41      rule: 'MustRunAs'
    42      ranges:
    43      - min: 1000
    44        max: 1000
    45    fsGroup:
    46      rule: 'MustRunAs'
    47      ranges:
    48      - min: 1000
    49        max: 1000
    50  {{- end }}
    51  {{- end }}