commit 4f9a075674934a2f5fb61bd568aca70956e58d29 Author: Conan Scott Date: Mon Jan 12 17:55:49 2026 +1100 initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..051ab44 --- /dev/null +++ b/README.md @@ -0,0 +1,4 @@ +# YAML for any cluster-scoped objects suchs as cluster roles/bindings, SCC etc. + +- Added SCC restricted-s6 for s6-overlay images +- Added ClusterRole/Bindings for s6-overlay SCC \ No newline at end of file diff --git a/bootstrap/okd-platform-application.yaml b/bootstrap/okd-platform-application.yaml new file mode 100644 index 0000000..796599e --- /dev/null +++ b/bootstrap/okd-platform-application.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: okd-platform + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + orphanedResources: + warn: false # Disable warning + project: infrastructure + destination: + server: https://kubernetes.default.svc + source: + repoURL: https://gitea.apilab.us/cscott/okd-platform.git + targetRevision: main + path: manifests + syncPolicy: + automated: + prune: true + selfHeal: false + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - PruneLast=true diff --git a/manifests/.DS_Store b/manifests/.DS_Store new file mode 100644 index 0000000..ea329e1 Binary files /dev/null and b/manifests/.DS_Store differ diff --git a/manifests/scc/.DS_Store b/manifests/scc/.DS_Store new file mode 100644 index 0000000..f17f369 Binary files /dev/null and b/manifests/scc/.DS_Store differ diff --git a/manifests/scc/scc-restricteds6-rolebinding.yaml b/manifests/scc/scc-restricteds6-rolebinding.yaml new file mode 100644 index 0000000..d4d2dd4 --- /dev/null +++ b/manifests/scc/scc-restricteds6-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calibre-sa-restricted-s6 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:restricted-s6 +subjects: + - kind: ServiceAccount + name: calibre-sa + namespace: calibre \ No newline at end of file diff --git a/manifests/scc/scc-restricteds6.yaml b/manifests/scc/scc-restricteds6.yaml new file mode 100644 index 0000000..7540bd0 --- /dev/null +++ b/manifests/scc/scc-restricteds6.yaml @@ -0,0 +1,37 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: restricted-s6 +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs + ranges: + - min: 1000 + max: 2000 +readOnlyRootFilesystem: false +requiredDropCapabilities: + - ALL +runAsUser: + type: MustRunAsRange + uidRangeMin: 1000 + uidRangeMax: 2000 +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +priority: 5 # Higher than restricted (0) but lower than anyuid (10) \ No newline at end of file