{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 25 }} {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} {{- if .Values.container.enabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "falcon-sensor.fullname" . }}-container labels: app: {{ include "falcon-sensor.name" . }} app.kubernetes.io/name: {{ include "falcon-sensor.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: "container_sensor" crowdstrike.com/provider: crowdstrike helm.sh/chart: {{ include "falcon-sensor.chart" . }} spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT - AUDIT_WRITE - CHOWN - FOWNER - FSETID - NET_BIND_SERVICE - NET_RAW - SETPCAP allowedCapabilities: - SYS_PTRACE - DAC_OVERRIDE - SETUID - SETGID fsGroup: rule: RunAsAny hostIPC: false hostNetwork: false hostPID: false privileged: false runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret {{- end }} {{- end }} {{- end }}