charts/cert-manager/templates/psp.yaml - atmosphere - Gitiles

 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "cert-manager.fullname" . }}
   labels:
     app: {{ include "cert-manager.name" . }}
     app.kubernetes.io/name: {{ include "cert-manager.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
     {{- if .Values.global.podSecurityPolicy.useAppArmor }}
     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
     {{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
   allowedCapabilities: []  # default set of capabilities are implicitly allowed
   volumes:
   - 'configMap'
   - 'emptyDir'
   - 'projected'
   - 'secret'
   - 'downwardAPI'
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
     rule: 'MustRunAs'
     ranges:
     - min: 1000
       max: 1000
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:
     - min: 1000
       max: 1000
   fsGroup:
     rule: 'MustRunAs'
     ranges:
     - min: 1000
       max: 1000
 {{- end }}
	{{- if .Values.global.podSecurityPolicy.enabled }}
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: {{ template "cert-manager.fullname" . }}
	labels:
	app: {{ include "cert-manager.name" . }}
	app.kubernetes.io/name: {{ include "cert-manager.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/component: "controller"
	{{- include "labels" . \| nindent 4 }}
	annotations:
	seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
	seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
	{{- if .Values.global.podSecurityPolicy.useAppArmor }}
	apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
	apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
	{{- end }}
	spec:
	privileged: false
	allowPrivilegeEscalation: false
	allowedCapabilities: [] # default set of capabilities are implicitly allowed
	volumes:
	- 'configMap'
	- 'emptyDir'
	- 'projected'
	- 'secret'
	- 'downwardAPI'
	hostNetwork: false
	hostIPC: false
	hostPID: false
	runAsUser:
	rule: 'MustRunAs'
	ranges:
	- min: 1000
	max: 1000
	seLinux:
	rule: 'RunAsAny'
	supplementalGroups:
	rule: 'MustRunAs'
	ranges:
	- min: 1000
	max: 1000
	fsGroup:
	rule: 'MustRunAs'
	ranges:
	- min: 1000
	max: 1000
	{{- end }}