{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
Instead, we recommend you to configure Pod Security AdmissionControllers for
the namespace "{{.Release.Namespace}}" by adding the label
`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.

See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/

To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
{{- end }}

{{- if .Values.teleportVersionOverride }}

DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version {{.Values.teleportVersionOverride}},
you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
{{- end }}
{{- if contains "-gke." .Capabilities.KubeVersion.Version -}}
{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }}

WARNING: GKE Autopilot clusters forbid users from impersonating system-wide identities.
This means you won't be able to use the `system:masters` Kubernetes Group in
the Teleport Roles for GKE Autopilot clusters.

Given that you installed Teleport on a GKE cluster, we recommend you use the
Kubernetes Group `{{ $groupName }}` instead of `system:masters` in the Teleport Roles
for GKE Autopilot clusters.

To do so, you can use the following Teleport Role resource:

 kind: role
 metadata:
   name: gke-kube-access
 version: v6
 spec:
   allow:
     kubernetes_labels:
       '*': '*'
     kubernetes_groups:
     - "{{ $groupName }}"

This chart automatically created the `{{ $groupName }}` Kubernetes Group for you and
assigned it admin privileges on the Kubernetes cluster.

Consult the built-in security features that GKE Autopilot enforces:
https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security

{{- end }}