{{- if .Values.rbac.psp.enabled }}
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: policy/v1beta1
{{- else  }}
apiVersion: extensions/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
  name: {{ template "vault-secrets-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - IPC_LOCK
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  readOnlyRootFilesystem: true
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - secret
  - emptyDir
  - configMap
---
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: policy/v1beta1
{{- else  }}
apiVersion: extensions/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  name: {{ template "vault-secrets-webhook.fullname" . }}.mutate
  namespace: {{ .Release.Namespace }}
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - secret
  - downwardAPI
  - emptyDir
  - configMap
{{- end }}