apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx

---

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  allowedCapabilities:
    - NET_BIND_SERVICE
  privileged: false
  allowPrivilegeEscalation: true
  # Allow core volume types.
  volumes:
    - configMap
    - secret
  hostIPC: false
  hostPID: false
  runAsUser:
    # Require the container to run without root privileges.
    rule: MustRunAsNonRoot
  supplementalGroups:
    rule: MustRunAs
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
  seLinux:
    rule: RunAsAny

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-psp
  namespace: ingress-nginx
rules:
- apiGroups: [policy]
  resources: [podsecuritypolicies]
  verbs: [use]
  resourceNames: [ingress-nginx]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-psp
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-psp
subjects:
- kind: ServiceAccount
  name: default
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx