github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/ingress-nginx/templates/controller-psp.yaml (about)

     1  {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
     2  {{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
     3  apiVersion: policy/v1beta1
     4  kind: PodSecurityPolicy
     5  metadata:
     6    name: {{ include "ingress-nginx.fullname" . }}
     7    labels:
     8      {{- include "ingress-nginx.labels" . | nindent 4 }}
     9      app.kubernetes.io/component: controller
    10      {{- with .Values.controller.labels }}
    11      {{- toYaml . | nindent 4 }}
    12      {{- end }}
    13  spec:
    14    allowedCapabilities:
    15      - NET_BIND_SERVICE
    16    {{- if .Values.controller.image.chroot }}
    17      - SYS_CHROOT
    18    {{- end }}
    19  {{- if .Values.controller.sysctls }}
    20    allowedUnsafeSysctls:
    21    {{- range $sysctl, $value := .Values.controller.sysctls }}
    22    - {{ $sysctl }}
    23    {{- end }}
    24  {{- end }}
    25    privileged: false
    26    allowPrivilegeEscalation: true
    27    # Allow core volume types.
    28    volumes:
    29      - 'configMap'
    30      - 'emptyDir'
    31      - 'projected'
    32      - 'secret'
    33      - 'downwardAPI'
    34  {{- if .Values.controller.hostNetwork }}
    35    hostNetwork: {{ .Values.controller.hostNetwork }}
    36  {{- end }}
    37  {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
    38    hostPorts:
    39  {{- if .Values.controller.hostNetwork }}
    40  {{- range $key, $value := .Values.controller.containerPort }}
    41    # {{ $key }}
    42    - min: {{ $value }}
    43      max: {{ $value }}
    44  {{- end }}
    45  {{- else if .Values.controller.hostPort.enabled }}
    46  {{- range $key, $value := .Values.controller.hostPort.ports }}
    47    # {{ $key }}
    48    - min: {{ $value }}
    49      max: {{ $value }}
    50  {{- end }}
    51  {{- end }}
    52  {{- if .Values.controller.metrics.enabled }}
    53    # metrics
    54    - min: {{ .Values.controller.metrics.port }}
    55      max: {{ .Values.controller.metrics.port }}
    56  {{- end }}
    57  {{- if .Values.controller.admissionWebhooks.enabled }}
    58    # admission webhooks
    59    - min: {{ .Values.controller.admissionWebhooks.port }}
    60      max: {{ .Values.controller.admissionWebhooks.port }}
    61  {{- end }}
    62  {{- range $key, $value := .Values.tcp }}
    63    # {{ $key }}-tcp
    64    - min: {{ $key }}
    65      max: {{ $key }}
    66  {{- end }}
    67  {{- range $key, $value := .Values.udp }}
    68    # {{ $key }}-udp
    69    - min: {{ $key }}
    70      max: {{ $key }}
    71  {{- end }}
    72  {{- end }}
    73    hostIPC: false
    74    hostPID: false
    75    runAsUser:
    76      # Require the container to run without root privileges.
    77      rule: 'MustRunAsNonRoot'
    78    supplementalGroups:
    79      rule: 'MustRunAs'
    80      ranges:
    81        # Forbid adding the root group.
    82        - min: 1
    83          max: 65535
    84    fsGroup:
    85      rule: 'MustRunAs'
    86      ranges:
    87        # Forbid adding the root group.
    88        - min: 1
    89          max: 65535
    90    readOnlyRootFilesystem: false
    91    seLinux:
    92      rule: 'RunAsAny'
    93  {{- end }}
    94  {{- end }}