From 3d697b1a972ca3830ffbf3e933b4b39c3cb1be78 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Mon, 27 May 2019 15:18:46 +0200 Subject: [PATCH] Add a new folder to provide cluster customizations Change-Id: Idb46c617f9eac2ab3427eaf1f74b3ed25bf22121 --- customizations/kustomization.yaml | 2 ++ customizations/scc.yaml | 47 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 customizations/kustomization.yaml create mode 100644 customizations/scc.yaml diff --git a/customizations/kustomization.yaml b/customizations/kustomization.yaml new file mode 100644 index 0000000..d4f5fd8 --- /dev/null +++ b/customizations/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- scc.yaml diff --git a/customizations/scc.yaml b/customizations/scc.yaml new file mode 100644 index 0000000..58f2ed7 --- /dev/null +++ b/customizations/scc.yaml @@ -0,0 +1,47 @@ +allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: +- '*' +allowedUnsafeSysctls: +- '*' +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +- system:nodes +- system:masters +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: 'privileged allows access to all privileged and host + features and the ability to run as any user, any group, any fsGroup, and with + any SELinux context. WARNING: this is the most relaxed SCC and should be used + only for cluster administration. Grant with caution.' + name: privileged +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: null +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: +- '*' +supplementalGroups: + type: RunAsAny +users: +- system:admin +- system:serviceaccount:openshift-infra:build-controller +- system:serviceaccount:kubevirt:kubevirt-operator +- system:serviceaccount:kubevirt:kubevirt-handler +- system:serviceaccount:kubevirt:kubevirt-apiserver +- system:serviceaccount:kubevirt:kubevirt-controller +volumes: +- '*' -- 2.16.6