{{- if .Values.global.rbac.pspEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "tracing.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ .Values.provider }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "tracing.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ .Values.provider }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "tracing.fullname" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "tracing.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "tracing.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ .Values.provider }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
rules:
- apiGroups:
  - policy
  resourceNames:
  - {{ include "tracing.fullname" . }}
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ include "tracing.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ .Values.provider }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  fsGroup:
      ranges:
        - max: 65535
          min: 1
      rule: MustRunAs
  requiredDropCapabilities:
  - ALL
  runAsUser:
      rule: MustRunAsNonRoot
  runAsGroup:
      rule: MustRunAs
      ranges:
      - min: 1
        max: 65535
  seLinux:
      rule: RunAsAny
  supplementalGroups:
      ranges:
        - max: 65535
          min: 1
      rule: MustRunAs
  volumes:
  - emptyDir
  - secret
  - persistentVolumeClaim
{{- end }}