Skip to content

Commit 058271d

Browse files
tonymeehantonymeehan
committed
Update scc
1 parent 6b18599 commit 058271d

File tree

1 file changed

+40
-31
lines changed

1 file changed

+40
-31
lines changed

collector/templates/probe.yaml

Lines changed: 40 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -140,45 +140,54 @@ rules:
140140
- list
141141
- watch
142142
---
143-
{{- if and (not .Values.externalSecrets) (not .Values.dockerHubEnabled) }}
144-
apiVersion: v1
145-
kind: Secret
146-
metadata:
147-
name: registrycred
148-
namespace: {{ .Release.Namespace }}
149-
annotations:
150-
# ArgoCD requires jobs be annotated with a PreSync
151-
argocd.argoproj.io/hook: PreSync
152-
argocd.argoproj.io/sync-wave: "-5"
153-
type: kubernetes.io/dockerconfigjson
154-
data:
155-
.dockerconfigjson: {{ printf "{ \"auths\": { \"%s\": { \"auth\": \"%s\" } } }" .Values.repository ( printf "prequel:%s" .Values.token | b64enc) | b64enc }}
156-
{{- else }}
157-
# No Secret is created; ensure registrycred is created by an external secret manager ahead of time
158-
{{- end }}
159-
---
160143
{{- if .Values.scc }}
144+
apiVersion: security.openshift.io/v1
161145
kind: SecurityContextConstraints
162-
apiVersion: security.openshift.io/v1
163146
metadata:
164-
name: prequel-scc
147+
name: prequel-scc
148+
labels:
149+
app.kubernetes.io/managed-by: Helm
150+
priority: 100
165151
allowPrivilegedContainer: true
166152
allowHostPID: true
167-
allowHostIPC: false
168-
allowHostPorts: false
169-
readOnlyRootFilesystem: false
170-
allowedCapabilities:
171-
- SYS_ADMIN
172-
- SYS_PTRACE
173153
allowHostNetwork: true
174154
allowHostDirVolumePlugin: true
155+
allowPrivilegeEscalation: true
156+
allowedCapabilities: ["SYS_ADMIN","SYS_PTRACE"]
175157
runAsUser:
176-
type: RunAsAny
158+
type: RunAsAny
177159
seLinuxContext:
178-
type: RunAsAny
179-
users:
180-
- system:serviceaccount:prequel:prequel-probes
181-
- system:serviceaccount:prequel:prequel-collector
160+
type: RunAsAny
161+
seccompProfiles: ["runtime/default"] # <-- add this (or "*")
162+
volumes: ["*"]
163+
users: [] # keep empty; binding is via RBAC
164+
groups: []
165+
---
166+
apiVersion: rbac.authorization.k8s.io/v1
167+
kind: ClusterRole
168+
metadata:
169+
name: prequel-scc-use
170+
rules:
171+
- apiGroups: ["security.openshift.io"]
172+
resources: ["securitycontextconstraints"]
173+
resourceNames: ["prequel-scc"]
174+
verbs: ["use"]
175+
---
176+
apiVersion: rbac.authorization.k8s.io/v1
177+
kind: ClusterRoleBinding
178+
metadata:
179+
name: prequel-scc-use
180+
roleRef:
181+
apiGroup: rbac.authorization.k8s.io
182+
kind: ClusterRole
183+
name: prequel-scc-use
184+
subjects:
185+
- kind: ServiceAccount
186+
name: prequel-probes
187+
namespace: prequel
188+
- kind: ServiceAccount
189+
name: prequel-collector
190+
namespace: prequel
182191
{{- end }}
183192

184-
{{- end }}
193+
{{- end }}

0 commit comments

Comments
 (0)