Skip to content

Commit 8c545d6

Browse files
sheriff-rhsheriff-rh
authored
Merge pull request #67020 from sheriff-rh/spo-idefs
2 parents 8a33517 + 3b19f32 commit 8c545d6

File tree

1 file changed

+5
-28
lines changed

1 file changed

+5
-28
lines changed

modules/spo-replicating-controllers.adoc

Lines changed: 5 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,12 @@
11
// Module included in the following assemblies:
22
//
3-
// * security/security_profiles_operator/spo-seccomp.adoc
43
// * security/security_profiles_operator/spo-selinux.adoc
54

6-
ifeval::["{context}" == "spo-seccomp"]
7-
:seccomp:
8-
:type: seccomp
9-
:kind: SeccompProfile
10-
endif::[]
11-
ifeval::["{context}" == "spo-selinux"]
12-
:selinux:
13-
:type: SELinux
14-
:kind: SelinuxProfile
15-
endif::[]
16-
175
:_mod-docs-content-type: PROCEDURE
186
[id="spo-replicating-controllers_{context}"]
197
= Replicating controllers and SecurityContextConstraints
208

21-
When deploying {type} policies for replicating controllers, such as deployments or daemon sets, note that the `Pod` objects spawned by the controllers are not running with the identity of the user who creates the workload. Unless a `ServiceAccount` is selected, the pods might revert to using a restricted `SecurityContextConstraints` (SCC) which does not allow use of custom security policies.
9+
When you deploy SELinux policies for replicating controllers, such as deployments or daemon sets, note that the `Pod` objects spawned by the controllers are not running with the identity of the user who creates the workload. Unless a `ServiceAccount` is selected, the pods might revert to using a restricted `SecurityContextConstraints` (SCC) which does not allow use of custom security policies.
2210

2311
.Procedure
2412

@@ -29,14 +17,14 @@ When deploying {type} policies for replicating controllers, such as deployments
2917
kind: RoleBinding
3018
apiVersion: rbac.authorization.k8s.io/v1
3119
metadata:
32-
name: spo-use-seccomp-scc
20+
name: spo-nginx
3321
namespace: nginx-secure
3422
subjects:
3523
- kind: ServiceAccount
3624
name: spo-deploy-test
3725
roleRef:
3826
kind: Role
39-
name: spo-use-seccomp-scc
27+
name: spo-nginx
4028
apiGroup: rbac.authorization.k8s.io
4129
----
4230

@@ -48,7 +36,7 @@ apiVersion: rbac.authorization.k8s.io/v1
4836
kind: Role
4937
metadata:
5038
creationTimestamp: null
51-
name: spo-use-seccomp-scc
39+
name: spo-nginx
5240
namespace: nginx-secure
5341
rules:
5442
- apiGroups:
@@ -112,15 +100,4 @@ spec:
112100
The SELinux type is not specified in the workload and is handled by the SCC. When the pods are created by the deployment and the `ReplicaSet`, the pods will run with the appropriate profile.
113101
====
114102

115-
Ensure your SCC is only usable by the correct service account. Refer to _Additional resources_ for more information.
116-
117-
ifeval::["{context}" == "spo-seccomp"]
118-
:!seccomp:
119-
:!type:
120-
:!kind:
121-
endif::[]
122-
ifeval::["{context}" == "spo-selinux"]
123-
:!selinux:
124-
:!type:
125-
:!kind:
126-
endif::[]
103+
Ensure that your SCC is usable by only the correct service account. Refer to _Additional resources_ for more information.

0 commit comments

Comments
 (0)