66 lines
1.6 KiB
YAML
66 lines
1.6 KiB
YAML
{{- if .Values.rbac.psp.enabled }}
|
|
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
|
|
apiVersion: policy/v1beta1
|
|
{{- else }}
|
|
apiVersion: extensions/v1beta1
|
|
{{- end }}
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: {{ template "vault-secrets-webhook.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
allowedCapabilities:
|
|
- IPC_LOCK
|
|
fsGroup:
|
|
ranges:
|
|
- max: 65535
|
|
min: 1
|
|
rule: MustRunAs
|
|
readOnlyRootFilesystem: true
|
|
runAsUser:
|
|
rule: MustRunAsNonRoot
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
ranges:
|
|
- max: 65535
|
|
min: 1
|
|
rule: MustRunAs
|
|
volumes:
|
|
- secret
|
|
- emptyDir
|
|
- configMap
|
|
---
|
|
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
|
|
apiVersion: policy/v1beta1
|
|
{{- else }}
|
|
apiVersion: extensions/v1beta1
|
|
{{- end }}
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
|
name: {{ template "vault-secrets-webhook.fullname" . }}.mutate
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- secret
|
|
- downwardAPI
|
|
- emptyDir
|
|
- configMap
|
|
{{- end }}
|