initial commit
This commit is contained in:
4
README.md
Normal file
4
README.md
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
# YAML for any cluster-scoped objects suchs as cluster roles/bindings, SCC etc.
|
||||||
|
|
||||||
|
- Added SCC restricted-s6 for s6-overlay images
|
||||||
|
- Added ClusterRole/Bindings for s6-overlay SCC
|
||||||
24
bootstrap/okd-platform-application.yaml
Normal file
24
bootstrap/okd-platform-application.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: okd-platform
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "-10"
|
||||||
|
spec:
|
||||||
|
orphanedResources:
|
||||||
|
warn: false # Disable warning
|
||||||
|
project: infrastructure
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
source:
|
||||||
|
repoURL: https://gitea.apilab.us/cscott/okd-platform.git
|
||||||
|
targetRevision: main
|
||||||
|
path: manifests
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: false
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
|
- ApplyOutOfSyncOnly=true
|
||||||
|
- PruneLast=true
|
||||||
BIN
manifests/.DS_Store
vendored
Normal file
BIN
manifests/.DS_Store
vendored
Normal file
Binary file not shown.
BIN
manifests/scc/.DS_Store
vendored
Normal file
BIN
manifests/scc/.DS_Store
vendored
Normal file
Binary file not shown.
12
manifests/scc/scc-restricteds6-rolebinding.yaml
Normal file
12
manifests/scc/scc-restricteds6-rolebinding.yaml
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: calibre-sa-restricted-s6
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:openshift:scc:restricted-s6
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: calibre-sa
|
||||||
|
namespace: calibre
|
||||||
37
manifests/scc/scc-restricteds6.yaml
Normal file
37
manifests/scc/scc-restricteds6.yaml
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
apiVersion: security.openshift.io/v1
|
||||||
|
kind: SecurityContextConstraints
|
||||||
|
metadata:
|
||||||
|
name: restricted-s6
|
||||||
|
allowHostDirVolumePlugin: false
|
||||||
|
allowHostIPC: false
|
||||||
|
allowHostNetwork: false
|
||||||
|
allowHostPID: false
|
||||||
|
allowHostPorts: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
allowPrivilegedContainer: false
|
||||||
|
allowedCapabilities: null
|
||||||
|
defaultAddCapabilities: null
|
||||||
|
fsGroup:
|
||||||
|
type: MustRunAs
|
||||||
|
ranges:
|
||||||
|
- min: 1000
|
||||||
|
max: 2000
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
requiredDropCapabilities:
|
||||||
|
- ALL
|
||||||
|
runAsUser:
|
||||||
|
type: MustRunAsRange
|
||||||
|
uidRangeMin: 1000
|
||||||
|
uidRangeMax: 2000
|
||||||
|
seLinuxContext:
|
||||||
|
type: MustRunAs
|
||||||
|
supplementalGroups:
|
||||||
|
type: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- configMap
|
||||||
|
- downwardAPI
|
||||||
|
- emptyDir
|
||||||
|
- persistentVolumeClaim
|
||||||
|
- projected
|
||||||
|
- secret
|
||||||
|
priority: 5 # Higher than restricted (0) but lower than anyuid (10)
|
||||||
Reference in New Issue
Block a user