{{ if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.logging-operator
  namespace: {{ include "logging-operator.namespace" . }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
  labels:
{{ include "logging-operator.labels" . | indent 4 }}
spec:
  readOnlyRootFilesystem: true
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  supplementalGroups:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  seLinux:
    rule: RunAsAny
  volumes:
    - secret
    - configMap
{{ end }}