add CHOWN cap
This commit is contained in:
@@ -2,14 +2,15 @@ apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: restricted-hostpath-privesc
|
||||
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
|
||||
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities: null
|
||||
allowedCapabilities:
|
||||
- CHOWN
|
||||
defaultAddCapabilities: null
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
@@ -31,8 +32,9 @@ volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- hostPath # This is what distinguishes it from restricted-s6
|
||||
- hostPath # This is what distinguishes it from restricted-s6
|
||||
- persistentVolumeClaim
|
||||
- projected
|
||||
- secret
|
||||
priority: 6 # Higher than restricted-s6 (5) due to hostPath access
|
||||
priority: 6 # Higher than restricted-s6 (5) due to hostPath access
|
||||
|
||||
|
||||
Reference in New Issue
Block a user