From 358750b03444a96c1bbd2a7b03935e59a092965e Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Fri, 1 Sep 2023 16:26:34 -0400
Subject: [PATCH] Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane
 deployments

---
 charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml | 2 ++
 charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml     | 2 ++
 .../consul/templates/telemetry-collector-podsecuritypolicy.yaml | 2 ++
 .../templates/terminating-gateways-podsecuritypolicy.yaml       | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
index f7354da2b3..b847e44ebd 100644
--- a/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
+++ b/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
@@ -21,6 +21,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'
diff --git a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
index b5bbb2fa03..04576fe926 100644
--- a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
+++ b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
@@ -18,6 +18,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'
diff --git a/charts/consul/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/consul/templates/telemetry-collector-podsecuritypolicy.yaml
index 286a92d0bd..f4c05a2f33 100644
--- a/charts/consul/templates/telemetry-collector-podsecuritypolicy.yaml
+++ b/charts/consul/templates/telemetry-collector-podsecuritypolicy.yaml
@@ -18,6 +18,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'
diff --git a/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
index 97ad2af961..7307fb8be9 100644
--- a/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
+++ b/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
@@ -21,6 +21,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'