{{- if .Values.psp }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
    name: {{ .Release.Name }}-psp
    labels:
        app: {{ template "openfaas.name" . }}
        chart: {{ .Chart.Name }}-{{ .Chart.Version }}
        heritage: {{ .Release.Service }}
        release: {{ .Release.Name }}
    annotations:
        seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
    privileged: false
    hostIPC: false
    hostNetwork: false
    hostPID: false
    readOnlyRootFilesystem: false
    allowPrivilegeEscalation: false
    allowedCapabilities:
        - NET_ADMIN
        - NET_RAW
    fsGroup:
        rule: RunAsAny
    hostPorts:
        - max: 65535
          min: 1
    runAsUser:
        rule: RunAsAny
    seLinux:
        rule: RunAsAny
    supplementalGroups:
        rule: RunAsAny
    volumes:
        - '*'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
    name: {{ .Release.Name }}-psp
    labels:
        app: {{ template "openfaas.name" . }}
        chart: {{ .Chart.Name }}-{{ .Chart.Version }}
        heritage: {{ .Release.Service }}
        release: {{ .Release.Name }}
rules:
    - apiGroups: ['policy']
      resources: ['podsecuritypolicies']
      verbs:     ['use']
      resourceNames:
          - {{ .Release.Name }}-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: {{ .Release.Name }}-psp
    namespace: {{ .Release.Namespace | quote }}
roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: {{ .Release.Name }}-psp
subjects:
    # bind the PSP cluster role to all service accounts in the OF namespace
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:serviceaccounts:{{ .Release.Namespace }}
      namespace: {{ .Release.Namespace }}
{{- end }}