{{- if .Values.podSecurityPolicy.enabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
  name: {{ template "traefik.fullname" . }}
  labels:
    app.kubernetes.io/name: {{ template "traefik.name" . }}
    helm.sh/chart: {{ template "traefik.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
{{- if not .Values.securityContext.runAsNonRoot }}
  allowedCapabilities:
    - NET_BIND_SERVICE
{{- end }}
  hostNetwork: {{ .Values.hostNetwork }}
  hostIPC: false
  hostPID: false
  fsGroup:
{{- if .Values.securityContext.runAsNonRoot }}
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
{{- else }}
    rule: RunAsAny
{{- end }}
{{- if .Values.hostNetwork }}
  hostPorts:
  - max: 65535
    min: 1
{{- end }}
  readOnlyRootFilesystem: true
  runAsUser:
{{- if .Values.securityContext.runAsNonRoot }}
    rule: MustRunAsNonRoot
{{- else }}
    rule: RunAsAny
{{- end }}
  seLinux:
    rule: RunAsAny
  supplementalGroups:
{{- if .Values.securityContext.runAsNonRoot }}
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
{{- else }}
    rule: RunAsAny
{{- end }}
  volumes:
  - configMap
  - downwardAPI
  - secret
  - emptyDir
  - projected
{{- if .Values.persistence.enabled }}
  - persistentVolumeClaim
{{- end -}}
{{- end -}}