41 lines
925 B
YAML
41 lines
925 B
YAML
apiVersion: security.openshift.io/v1
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
name: restricted-hostpath-privesc # this scc allows hostPath and allowPrivilegeEscalation
|
|
allowHostDirVolumePlugin: true
|
|
allowHostIPC: false
|
|
allowHostNetwork: false
|
|
allowHostPID: false
|
|
allowHostPorts: false
|
|
allowPrivilegeEscalation: true
|
|
allowPrivilegedContainer: false
|
|
allowedCapabilities:
|
|
- CHOWN
|
|
defaultAddCapabilities: null
|
|
fsGroup:
|
|
type: MustRunAs
|
|
ranges:
|
|
- min: 1000
|
|
max: 2000
|
|
readOnlyRootFilesystem: false
|
|
requiredDropCapabilities:
|
|
- ALL
|
|
runAsUser:
|
|
type: MustRunAsRange
|
|
uidRangeMin: 1000
|
|
uidRangeMax: 2000
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- hostPath # This is what distinguishes it from restricted-s6
|
|
- persistentVolumeClaim
|
|
- projected
|
|
- secret
|
|
priority: 6 # Higher than restricted-s6 (5) due to hostPath access
|
|
|