Add example SCC for daemonset (#95)

* Add example SCC for daemonset
---------

Signed-off-by: Ciara Stacke <[email protected]>

Author: ciarams87

docs/manual-installation.md

@@ -31,6 +31,12 @@ This will deploy the operator in the `nginx-ingress-operator-system` namespace.
 
 3. `OpenShift` Additional steps:
 
-In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so, please run the following command (assuming you are logged in with administrator access to the cluster):
+In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster):
 
 `kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.4.1/resources/scc.yaml`
+
+Alternatively, to create an SCC for NIC daemonsets, please run this command:
+
+`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.4.1/resources/scc-daemonset.yaml`
+
+You can now deploy the NGINX Ingress Controller instances.

docs/openshift-installation.md

@@ -19,8 +19,12 @@ OpenShift will install the NGINX Ingress Operator:
 
 Additional steps:
 
-In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so, please run the following command (assuming you are logged in with administrator access to the cluster):
+In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster):
 
 `kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.4.1/resources/scc.yaml`
 
+Alternatively, to create an SCC for NIC daemonsets, please run this command:
+
+`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.3.1/resources/scc-daemonset.yaml`
+
 You can now deploy the NGINX Ingress Controller instances.

resources/scc-daemonset.yaml

@@ -0,0 +1,29 @@
+# Create SCC for IC resources
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: nginx-ingress-admin
+allowPrivilegedContainer: false
+runAsUser:
+  type: MustRunAs
+  uid: 101
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+supplementalGroups:
+  type: MustRunAs
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: true
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+readOnlyRootFilesystem: false
+seccompProfiles:    
+- runtime/default
+volumes:
+ - secret
+requiredDropCapabilities:
+ - ALL
+users:
+ - 'system:serviceaccount:*:nginx-ingress'