apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodSecurity
metadata:
  name: pod-security-policy
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "production"
      - "staging"
    excludedNamespaces:
      - "kube-system"
      - "gatekeeper-system"
  parameters:
    allowPrivileged: false
    allowHostNamespace: false
    allowedCapabilities:
      - "NET_BIND_SERVICE"  # Allow binding to privileged ports