{{ if .Values.enablePSP -}} --- ### ### Control Plane PSP ### apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: linkerd-{{.Values.namespace}}-control-plane labels: linkerd.io/control-plane-ns: {{.Values.namespace}} spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true {{- if empty .Values.cniEnabled }} allowedCapabilities: - NET_ADMIN - NET_RAW {{- end}} requiredDropCapabilities: - ALL hostNetwork: false hostIPC: false hostPID: false seLinux: rule: RunAsAny runAsUser: {{- if .Values.cniEnabled }} rule: MustRunAsNonRoot {{- else }} rule: RunAsAny {{- end }} supplementalGroups: rule: MustRunAs ranges: {{- if .Values.cniEnabled }} - min: 10001 max: 65535 {{- else }} - min: 1 max: 65535 {{- end }} fsGroup: rule: MustRunAs ranges: {{- if .Values.cniEnabled }} - min: 10001 max: 65535 {{- else }} - min: 1 max: 65535 {{- end }} volumes: - configMap - emptyDir - secret - projected - downwardAPI - persistentVolumeClaim --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-psp namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-ns: {{.Values.namespace}} rules: - apiGroups: ['policy', 'extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - linkerd-{{.Values.namespace}}-control-plane --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-psp namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-ns: {{.Values.namespace}} roleRef: kind: Role name: linkerd-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: linkerd-destination namespace: {{.Values.namespace}} {{ if not .Values.disableHeartBeat -}} - kind: ServiceAccount name: linkerd-heartbeat namespace: {{.Values.namespace}} {{ end -}} - kind: ServiceAccount name: linkerd-identity namespace: {{.Values.namespace}} - kind: ServiceAccount name: linkerd-proxy-injector namespace: {{.Values.namespace}} - kind: ServiceAccount name: linkerd-sp-validator namespace: {{.Values.namespace}} {{ end -}}