| {{- if .Values.global.podSecurityPolicy.enabled }} |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: {{ template "cert-manager.fullname" . }} |
| labels: |
| app: {{ include "cert-manager.name" . }} |
| app.kubernetes.io/name: {{ include "cert-manager.name" . }} |
| app.kubernetes.io/instance: {{ .Release.Name }} |
| app.kubernetes.io/component: "controller" |
| {{- include "labels" . | nindent 4 }} |
| annotations: |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' |
| {{- if .Values.global.podSecurityPolicy.useAppArmor }} |
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
| {{- end }} |
| spec: |
| privileged: false |
| allowPrivilegeEscalation: false |
| allowedCapabilities: [] # default set of capabilities are implicitly allowed |
| volumes: |
| - 'configMap' |
| - 'emptyDir' |
| - 'projected' |
| - 'secret' |
| - 'downwardAPI' |
| hostNetwork: false |
| hostIPC: false |
| hostPID: false |
| runAsUser: |
| rule: 'MustRunAs' |
| ranges: |
| - min: 1000 |
| max: 1000 |
| seLinux: |
| rule: 'RunAsAny' |
| supplementalGroups: |
| rule: 'MustRunAs' |
| ranges: |
| - min: 1000 |
| max: 1000 |
| fsGroup: |
| rule: 'MustRunAs' |
| ranges: |
| - min: 1000 |
| max: 1000 |
| {{- end }} |