cscott/okd-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add CHOWN cap

Browse Source
This commit is contained in:
Conan Scott
2026-01-12 21:32:01 +11:00
parent 43522548f7
commit f6edffea0d
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
manifests/scc/scc-restricted-hostpath-privesc.yaml
View File

@@ -2,14 +2,15 @@ apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints kind: SecurityContextConstraints
metadata: metadata:
name: restricted-hostpath-privesc name: restricted-hostpath-privesc
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
allowHostIPC: false allowHostIPC: false
allowHostNetwork: false allowHostNetwork: false
allowHostPID: false allowHostPID: false
allowHostPorts: false allowHostPorts: false
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
allowPrivilegedContainer: false allowPrivilegedContainer: false
allowedCapabilities: null allowedCapabilities:
- CHOWN
defaultAddCapabilities: null defaultAddCapabilities: null
fsGroup: fsGroup:
type: MustRunAs type: MustRunAs
@@ -31,8 +32,9 @@ volumes:
- configMap - configMap
- downwardAPI - downwardAPI
- emptyDir - emptyDir
- hostPath # This is what distinguishes it from restricted-s6 - hostPath # This is what distinguishes it from restricted-s6
- persistentVolumeClaim - persistentVolumeClaim
- projected - projected
- secret - secret
priority: 6 # Higher than restricted-s6 (5) due to hostPath access priority: 6 # Higher than restricted-s6 (5) due to hostPath access