-{{- if .Values.podSecurityPolicy.enabled }}
-apiVersion: policy/v1beta1
+{{- if and (.Values.podSecurityPolicy.enabled) }}
+apiVersion: {{ include "kong.policyVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
+ {{- with .Values.podSecurityPolicy.labels }}
+ {{- range $key, $value := . }}
+ {{ $key }}: {{ $value }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.podSecurityPolicy.annotations }}
+ annotations:
+ {{- range $key, $value := . }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
spec:
- privileged: false
- fsGroup:
- rule: RunAsAny
- runAsUser:
- rule: RunAsAny
- runAsGroup:
- rule: RunAsAny
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- volumes:
- - 'configMap'
- - 'secret'
- - 'emptyDir'
- allowPrivilegeEscalation: false
- hostNetwork: false
- hostIPC: false
- hostPID: false
+{{ .Values.podSecurityPolicy.spec | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- apiGroups:
- - extensions
+ - policy
resources:
- podsecuritypolicies
verbs:
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
roleRef:
kind: ClusterRole
name: {{ template "kong.serviceAccountName" . }}-psp