Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

charts/ingress-nginx/templates/controller-psp.yaml

@@ -11,25 +11,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-    - SYS_CHROOT
-  {{- end }}
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-    - {{ $sysctl }}
-  {{- end }}
-{{- end }}
   privileged: false
-  allowPrivilegeEscalation: true
+  hostPID: false
-  volumes:
+  hostIPC: false
-    - configMap
-    - emptyDir
-    - projected
-    - secret
-    - downwardAPI
 {{- if .Values.controller.hostNetwork }}
   hostNetwork: {{ .Values.controller.hostNetwork }}
 {{- end }}
@@ -69,8 +53,18 @@ spec:
       max: {{ $key }}
   {{- end }}
 {{- end }}
-  hostIPC: false
+  volumes:
-  hostPID: false
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
   runAsUser:
     rule: MustRunAsNonRoot
   supplementalGroups:
@@ -78,13 +72,19 @@ spec:
     ranges:
       - min: 1
         max: 65535
-  fsGroup:
+  allowPrivilegeEscalation: true
-    rule: MustRunAs
+  allowedCapabilities:
-    ranges:
+    - NET_BIND_SERVICE
-      - min: 1
+  {{- if .Values.controller.image.chroot }}
-        max: 65535
+    - SYS_CHROOT
-  readOnlyRootFilesystem: false
+  {{- end }}
   seLinux:
     rule: RunAsAny
+{{- if .Values.controller.sysctls }}
+  allowedUnsafeSysctls:
+  {{- range $sysctl, $value := .Values.controller.sysctls }}
+    - {{ $sysctl }}
+  {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}