{{- if .Values.global.rbac.pspEnabled }}

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: epinio-server-psp
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
    app.kubernetes.io/part-of: epinio-server
    app: epinio-server
{{- if .Values.global.rbac.pspAnnotations }}
  annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
  privileged: false
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    # Permits the container to run with root privileges as well.
    rule: 'RunAsAny'
  seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 0
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 0
        max: 65535
  readOnlyRootFilesystem: false

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: epinio-server-psp
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
    app.kubernetes.io/part-of: epinio-server
    app: epinio-server
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - epinio-server-psp

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: epinio-server-psp
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
    app.kubernetes.io/part-of: epinio-server
    app: epinio-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: epinio-server-psp
subjects:
  - kind: ServiceAccount
    name: epinio-server
    namespace: {{ .Release.Namespace }}

{{- end }}