{{- if .Values.common.rbac.pspEnabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ template "provisioner.fullname" . }}
  labels:
    helm.sh/chart: {{ template "provisioner.chart" . }}
    app.kubernetes.io/name: {{ template "provisioner.name" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
spec:
  allowPrivilegeEscalation: true
  allowedHostPaths:
  - pathPrefix: /dev
  {{- range $classConfig := .Values.classes }}
  - pathPrefix: {{ $classConfig.hostDir }}
  {{- end }}
  fsGroup:
    rule: RunAsAny
  privileged: true
  requiredDropCapabilities:
  - ALL
  runAsUser:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - secret
  - hostPath
{{- end }}