From aba03b667ed731ac7ab29dba0f34da898cdcd755 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Tue, 5 Sep 2023 11:32:31 -0400
Subject: [PATCH] Backport of NET-5186 Add NET_BIND_SERVICE to built-in PSPs
 for consul-dataplane deployments

Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments
---
 charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml | 2 ++
 charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml     | 2 ++
 .../templates/terminating-gateways-podsecuritypolicy.yaml       | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
index f7354da2b3..b847e44ebd 100644
--- a/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
+++ b/charts/consul/templates/ingress-gateways-podsecuritypolicy.yaml
@@ -21,6 +21,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'
diff --git a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
index b5bbb2fa03..04576fe926 100644
--- a/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
+++ b/charts/consul/templates/mesh-gateway-podsecuritypolicy.yaml
@@ -18,6 +18,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'
diff --git a/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
index 97ad2af961..7307fb8be9 100644
--- a/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
+++ b/charts/consul/templates/terminating-gateways-podsecuritypolicy.yaml
@@ -21,6 +21,8 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
+  defaultAddCapabilities:
+    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'