resource "kubernetes_pod_security_policy" "this" {
  metadata {
    name = "psp.flannel.unprivileged"
    annotations = {
      "seccomp.security.alpha.kubernetes.io/allowedProfileNames" : "docker/default",
      "seccomp.security.alpha.kubernetes.io/defaultProfileName" : "docker/default",
      "apparmor.security.beta.kubernetes.io/allowedProfileNames" : "runtime/default",
      "apparmor.security.beta.kubernetes.io/defaultProfileName" : "runtime/default",
    }
  }
  spec {
    # Privilege Escalation
    allow_privilege_escalation         = false
    default_allow_privilege_escalation = false
    privileged                         = false

    volumes = [
      "configMap",
      "secret",
      "emptyDir",
      "hostPath",
    ]
    allowed_host_paths {
      path_prefix = "/etc/cni/net.d"
    }
    allowed_host_paths {
      path_prefix = "/etc/kube-flannel"
    }
    allowed_host_paths {
      path_prefix = "/run/flannel"
    }

    read_only_root_filesystem = false

    # Users and groups
    run_as_user {
      rule = "MustRunAsNonRoot"
    }
    supplemental_groups {
      rule = "RunAsAny"
    }
    fs_group {
      rule = "RunAsAny"
    }

    # Capabilities
    allowed_capabilities       = ["NET_ADMIN", "NET_RAW"]
    default_add_capabilities   = []
    required_drop_capabilities = []

    # Host namespaces
    host_pid     = false
    host_ipc     = false
    host_network = true
    host_ports {
      min = 0
      max = 65535
    }
    # SELinux
    se_linux {
      # SELinux is unused in CaaSP
      rule = "RunAsAny"
    }
  }
}