From 94889bac088609bddbdeedab22ceef92fbee03fe Mon Sep 17 00:00:00 2001
From: Marco Ebert <marco@giantswarm.io>
Date: Fri, 6 Oct 2023 18:37:59 +0200
Subject: [PATCH] Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.
---
 .../templates/controller-psp.yaml             | 52 +++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml
index 08f637001..3c2065d86 100644
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@@ -11,25 +11,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-    - SYS_CHROOT
-  {{- end }}
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-    - {{ $sysctl }}
-  {{- end }}
-{{- end }}
   privileged: false
-  allowPrivilegeEscalation: true
-  volumes:
-    - configMap
-    - emptyDir
-    - projected
-    - secret
-    - downwardAPI
+  hostPID: false
+  hostIPC: false
 {{- if .Values.controller.hostNetwork }}
   hostNetwork: {{ .Values.controller.hostNetwork }}
 {{- end }}
@@ -69,8 +53,18 @@ spec:
       max: {{ $key }}
   {{- end }}
 {{- end }}
-  hostIPC: false
-  hostPID: false
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
   runAsUser:
     rule: MustRunAsNonRoot
   supplementalGroups:
@@ -78,13 +72,19 @@ spec:
     ranges:
       - min: 1
         max: 65535
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+  {{- if .Values.controller.image.chroot }}
+    - SYS_CHROOT
+  {{- end }}
   seLinux:
     rule: RunAsAny
+{{- if .Values.controller.sysctls }}
+  allowedUnsafeSysctls:
+  {{- range $sysctl, $value := .Values.controller.sysctls }}
+    - {{ $sysctl }}
+  {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}