Compare commits
3 Commits
e228753c59
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 1c49eaeca8 | |||
| 8b65362c75 | |||
| 9b3563ebfc |
BIN
manifests/.DS_Store
vendored
BIN
manifests/.DS_Store
vendored
Binary file not shown.
12
manifests/scc/scc-minio-restricted-rolebinding.yaml
Normal file
12
manifests/scc/scc-minio-restricted-rolebinding.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calibre-sa-restricted-s6
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:openshift:scc:restricted-s6
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calibre-sa
|
||||
namespace: calibre
|
||||
37
manifests/scc/scc-minio-restricted.yaml
Normal file
37
manifests/scc/scc-minio-restricted.yaml
Normal file
@@ -0,0 +1,37 @@
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: minio-restricted
|
||||
allowHostDirVolumePlugin: false
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities: null
|
||||
defaultAddCapabilities: null
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
priority: null
|
||||
readOnlyRootFilesystem: false
|
||||
requiredDropCapabilities:
|
||||
- MKNOD
|
||||
- ALL
|
||||
runAsUser:
|
||||
type: MustRunAs
|
||||
uid: 501
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- persistentVolumeClaim
|
||||
- projected
|
||||
- secret
|
||||
@@ -1,13 +1,13 @@
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: restricted-hostpath-privesc
|
||||
name: restricted-hostpath-privesc # this scc allows hostPath and allowPrivilegeEscalation
|
||||
allowHostDirVolumePlugin: true
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- CHOWN
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: restricted-hostpath-privesc
|
||||
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
|
||||
name: restricted-hostpath
|
||||
allowHostDirVolumePlugin: true #this scc allows hostPath
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- CHOWN
|
||||
|
||||
Reference in New Issue
Block a user