{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 25 }}
{{- if .Values.node.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ include "falcon-sensor.fullname" . }}-node
  labels:
    app: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/component: "container_sensor"
    crowdstrike.com/provider: crowdstrike
    helm.sh/chart: {{ include "falcon-sensor.chart" . }}
spec:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  allowedCapabilities:
  - '*'
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
{{- end }}
{{- end }}
{{- end }}