fix(vault): add priority to SCC to ensure correct application

2026-01-14 15:39:33 +11:00
parent 8bcd16686f
commit 97dd3d999e
2 changed files with 52 additions and 0 deletions
--- a/01-claude-ocp/vault-rbac.yaml
+++ b/01-claude-ocp/vault-rbac.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-restricted-scc-role
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - vault-restricted
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-restricted-scc-binding
+  namespace: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-restricted-scc-role
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault
--- a/01-claude-ocp/vault-scc.yaml
+++ b/01-claude-ocp/vault-scc.yaml
@@ -0,0 +1,25 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: vault-restricted
+priority: 20
+allowPrivilegedContainer: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+runAsUser:
+  type: MustRunAs
+  uid: 100
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+defaultAddCapabilities: []
+requiredDropCapabilities:
+- ALL
+users: []
+groups: []