github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/webhook-psp.yaml (about) 1 {{- if .Values.global.podSecurityPolicy.enabled }} 2 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 3 apiVersion: policy/v1beta1 4 kind: PodSecurityPolicy 5 metadata: 6 name: {{ template "webhook.fullname" . }} 7 labels: 8 app: {{ include "webhook.name" . }} 9 app.kubernetes.io/name: {{ include "webhook.name" . }} 10 app.kubernetes.io/instance: {{ .Release.Name }} 11 app.kubernetes.io/component: "webhook" 12 {{- include "labels" . | nindent 4 }} 13 annotations: 14 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 15 seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 16 {{- if .Values.global.podSecurityPolicy.useAppArmor }} 17 apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 18 apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 19 {{- end }} 20 spec: 21 privileged: false 22 allowPrivilegeEscalation: false 23 allowedCapabilities: [] # default set of capabilities are implicitly allowed 24 volumes: 25 - 'configMap' 26 - 'emptyDir' 27 - 'projected' 28 - 'secret' 29 - 'downwardAPI' 30 hostNetwork: {{ .Values.webhook.hostNetwork }} 31 {{- if .Values.webhook.hostNetwork }} 32 hostPorts: 33 - max: {{ .Values.webhook.securePort }} 34 min: {{ .Values.webhook.securePort }} 35 {{- end }} 36 hostIPC: false 37 hostPID: false 38 runAsUser: 39 rule: 'MustRunAs' 40 ranges: 41 - min: 1000 42 max: 1000 43 seLinux: 44 rule: 'RunAsAny' 45 supplementalGroups: 46 rule: 'MustRunAs' 47 ranges: 48 - min: 1000 49 max: 1000 50 fsGroup: 51 rule: 'MustRunAs' 52 ranges: 53 - min: 1000 54 max: 1000 55 {{- end }} 56 {{- end }}