{{- if .Values.psp.create -}}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ template "k8s-prometheus-adapter.fullname" . }}
  labels:
    app: {{ template "k8s-prometheus-adapter.name" . }}
    chart: {{ template "k8s-prometheus-adapter.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  {{- if .Values.hostNetwork.enabled }}
  hostNetwork: true
  {{- end }}
  fsGroup:
    rule: RunAsAny
  runAsGroup:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAs
    ranges:
    - min: 1024
      max: 65535
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - secret
  - emptyDir
  - configMap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: {{ template "k8s-prometheus-adapter.name" . }}
    chart: {{ template "k8s-prometheus-adapter.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: {{ template "k8s-prometheus-adapter.name" . }}-psp
rules:
- apiGroups: 
  - 'policy'
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - {{ template "k8s-prometheus-adapter.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: {{ template "k8s-prometheus-adapter.name" . }}
    chart: {{ template "k8s-prometheus-adapter.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: {{ template "k8s-prometheus-adapter.name" . }}-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "k8s-prometheus-adapter.name" . }}-psp
subjects:
- kind: ServiceAccount
  name: {{ template "k8s-prometheus-adapter.serviceAccountName" . }}
  namespace: {{ .Release.Namespace | quote }}
{{- end -}}