added back scc-restricted-hostpath
This commit is contained in:
@@ -2,12 +2,12 @@ apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: restricted-hostpath-privesc
|
||||
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
|
||||
allowHostDirVolumePlugin: true
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- CHOWN
|
||||
|
||||
40
manifests/scc/scc-restricted-hostpath.yaml
Normal file
40
manifests/scc/scc-restricted-hostpath.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: restricted-hostpath-privesc
|
||||
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- CHOWN
|
||||
defaultAddCapabilities: null
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 2000
|
||||
readOnlyRootFilesystem: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
runAsUser:
|
||||
type: MustRunAsRange
|
||||
uidRangeMin: 1000
|
||||
uidRangeMax: 2000
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- hostPath # This is what distinguishes it from restricted-s6
|
||||
- persistentVolumeClaim
|
||||
- projected
|
||||
- secret
|
||||
priority: 6 # Higher than restricted-s6 (5) due to hostPath access
|
||||
|
||||
Reference in New Issue
Block a user