Merge pull request #54600 from ousleyp/cnv-20962-scc

ousleyp · web-flow · commit f04591c03f24 · 2023-01-16T10:20:27.000-05:00
CNV-20962: SCC updates for 4.11+
diff --git a/modules/virt-additional-scc-for-kubevirt-controller.adoc b/modules/virt-additional-scc-for-kubevirt-controller.adoc
@@ -8,11 +8,9 @@
 
 Security context constraints (SCCs) control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.
 
-The `kubevirt-controller` is a cluster controller that creates the virt-launcher pods for virtual machines in the cluster. These virt-launcher pods are granted permissions by the `kubevirt-controller` service account.
+The `virt-controller` is a cluster controller that creates the `virt-launcher` pods for virtual machines in the cluster. These pods are granted permissions by the `kubevirt-controller` service account.
 
-== Additional SCCs granted to the kubevirt-controller service account
-
-The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create virt-launcher pods with the appropriate permissions. These extended permissions allow virtual machines to take advantage of {VirtProductName} features that are beyond the scope of typical pods.
+The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create `virt-launcher` pods with the appropriate permissions. These extended permissions allow virtual machines to use {VirtProductName} features that are beyond the scope of typical pods.
 
 The `kubevirt-controller` service account is granted the following SCCs:
 
@@ -22,11 +20,11 @@ This allows virtual machines to use the hostpath volume plug-in.
 * `scc.AllowPrivilegedContainer = false` +
 This ensures the virt-launcher pod is not run as a privileged container.
 
-* `scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW", "SYS_NICE"}` +
-This provides the following additional Linux capabilities
-`NET_ADMIN`,
-`NET_RAW`, and
-`SYS_NICE`.
+* `scc.AllowedCapabilities = []corev1.Capability{"SYS_NICE", "NET_BIND_SERVICE", "SYS_PTRACE"}` +
+
+** `SYS_NICE` allows setting the CPU affinity.
+** `NET_BIND_SERVICE` allows DHCP and Slirp operations.
+** `SYS_PTRACE` enables certain versions of `libvirt` to find the process ID (PID) of `swtpm`, a software Trusted Platform Module (TPM) emulator.
 
 == Viewing the SCC and RBAC definitions for the kubevirt-controller
 
