{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}} {{- if .Values.global.rbac.pspEnabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: epinio-server-psp namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" app.kubernetes.io/part-of: epinio-server app: epinio-server {{- if .Values.global.rbac.pspAnnotations }} annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }} {{- end }} spec: privileged: false hostNetwork: false hostIPC: false hostPID: false runAsUser: # Permits the container to run with root privileges as well. rule: 'RunAsAny' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 0 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 0 max: 65535 readOnlyRootFilesystem: false --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: epinio-server-psp labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" app.kubernetes.io/part-of: epinio-server app: epinio-server rules: {{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }} - apiGroups: ['policy'] {{- else }} - apiGroups: ['extensions'] {{- end }} resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - epinio-server-psp --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: epinio-server-psp labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" app.kubernetes.io/part-of: epinio-server app: epinio-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: epinio-server-psp subjects: - kind: ServiceAccount name: epinio-server namespace: {{ .Release.Namespace }} {{- end }} {{- end -}}