Merge 3d47849eed into 1af4c50ed0

charts/postgres-operator/templates/clusterrole-postgres-pod.yaml

@@ -57,14 +57,14 @@ rules:
   - services
   verbs:
   - create
-{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
+{{- if or (toString .Values.configKubernetes.spilo_privileged | eq "true") (.Values.rbac.spiloRunWithPsp) }}
 # to run privileged pods
 - apiGroups:
   - extensions
   resources:
   - podsecuritypolicies
   resourceNames:
-  - privileged
+  - {{ .Values.rbac.spiloPrivilegedPodSecurityPolicy }}
   verbs:
   - use
 {{- end }}

charts/postgres-operator/templates/clusterrole.yaml

@@ -242,14 +242,14 @@ rules:
   verbs:
   - get
   - create
-{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
+{{- if or (toString .Values.configKubernetes.spilo_privileged | eq "true") (.Values.rbac.operatorRunWithPsp) }}
 # to run privileged pods
 - apiGroups:
   - extensions
   resources:
   - podsecuritypolicies
   resourceNames:
-  - privileged
+  - {{ .Values.rbac.operatorPrivilegedPodSecurityPolicy }}
   verbs:
   - use
 {{- end }}

charts/postgres-operator/values.yaml

@@ -461,6 +461,11 @@ rbac:
   create: true
   # Specifies whether ClusterRoles that are aggregated into the K8s default roles should be created. (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings)
   createAggregateClusterRoles: false
+  # If cluster is set to run as privileged - which pod security policy should be used
+  operatorRunWithPsp: false
+  spiloRunWithPsp: false
+  spiloPrivilegedPodSecurityPolicy: privileged
+  operatorPrivilegedPodSecurityPolicy: privileged
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created