initial commit
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m12s
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m12s
Change-Id: If67c32e979b6d03a135072c836ca54ee01c99e66
This commit is contained in:
Scaffolder
@@ -0,0 +1,82 @@
|
||||
{{/*
|
||||
Copyright 2019 HAProxy Technologies LLC
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }}
|
||||
{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }}
|
||||
{{- $useHostPort := .Values.controller.daemonset.useHostPort }}
|
||||
{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
|
||||
{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
apiVersion: policy/v1
|
||||
{{- else }}
|
||||
apiVersion: policy/v1beta1
|
||||
{{- end }}
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
{{- if .Values.podSecurityPolicy.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
|
||||
name: {{ include "kubernetes-ingress.fullname" . }}
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
spec:
|
||||
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
defaultAllowPrivilegeEscalation: false
|
||||
fsGroup:
|
||||
rule: MustRunAs
|
||||
ranges:
|
||||
- max: 65535
|
||||
min: 1
|
||||
{{- if $useHostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
{{- if or $useHostPort $useHostNetwork }}
|
||||
hostPorts:
|
||||
{{- range $key, $value := .Values.controller.containerPort }}
|
||||
- min: {{ $value }}
|
||||
max: {{ $value }}
|
||||
{{- end }}
|
||||
{{- range .Values.controller.service.tcpPorts }}
|
||||
- min: {{ .port }}
|
||||
max: {{ .port }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
privileged: false
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: MustRunAs
|
||||
ranges:
|
||||
- max: 65535
|
||||
min: 1
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- secret
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user