github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml

github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml (about)

     1  {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
     2  {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
     3  apiVersion: policy/v1beta1
     4  kind: PodSecurityPolicy
     5  metadata:
     6    name: {{ include "ingress-nginx.fullname" . }}-admission
     7    annotations:
     8      "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     9      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    10    labels:
    11      {{- include "ingress-nginx.labels" . | nindent 4 }}
    12      app.kubernetes.io/component: admission-webhook
    13      {{- with .Values.controller.admissionWebhooks.patch.labels }}
    14      {{- toYaml . | nindent 4 }}
    15      {{- end }}
    16  spec:
    17    allowPrivilegeEscalation: false
    18    fsGroup:
    19      ranges:
    20      - max: 65535
    21        min: 1
    22      rule: MustRunAs
    23    requiredDropCapabilities:
    24    - ALL
    25    runAsUser:
    26      rule: MustRunAsNonRoot
    27    seLinux:
    28      rule: RunAsAny
    29    supplementalGroups:
    30      ranges:
    31      - max: 65535
    32        min: 1
    33      rule: MustRunAs
    34    volumes:
    35    - configMap
    36    - emptyDir
    37    - projected
    38    - secret
    39    - downwardAPI
    40  {{- end }}
    41  {{- end }}