tidied up scc

Add Vault RBAC for SCC
Add Vault SCC with priority 20
2026-01-14 17:04:35 +11:00 · 2026-01-14 04:41:05 +00:00 · 2026-01-14 04:40:57 +00:00 · 2026-01-14 04:24:28 +00:00 · 2026-01-14 04:24:17 +00:00 · 2026-01-14 04:24:08 +00:00
4 changed files with 65 additions and 9 deletions
--- a/templates/vault-rbac.yaml
+++ b/templates/vault-rbac.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-restricted-scc-role
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - vault-restricted
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-restricted-scc-binding
+  namespace: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-restricted-scc-role
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault
--- a/templates/vault-scc.yaml
+++ b/templates/vault-scc.yaml
@@ -0,0 +1,25 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: vault-restricted
+priority: 20
+allowPrivilegedContainer: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+runAsUser:
+  type: MustRunAs
+  uid: 100
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+defaultAddCapabilities: []
+requiredDropCapabilities:
+- ALL
+users: []
+groups: []
--- a/values.openshift.yaml
+++ b/values.openshift.yaml
@@ -23,6 +23,10 @@ server:
  readinessProbe:
    path: "/v1/sys/health?uninitcode=204"

+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 100
+
 csi:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault-csi-provider"
--- a/values.yaml
+++ b/values.yaml
@@ -266,7 +266,7 @@ injector:
    #securityContext:
    #  pod: {}
    #  container: {}
-    securityContext:
+  securityContext:
    pod:
      runAsNonRoot: true
    container:
@@ -1042,14 +1042,14 @@ server:
    #securityContext:
    #  pod: {}
    #  container: {}
-  securityContext:
-    pod:
-      runAsNonRoot: true
-    container:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
+    securityContext:
+      pod:
+        runAsNonRoot: true
+      container:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL

  # Should the server pods run on the host network
  hostNetwork: false
Author	SHA1	Message	Date
Conan Scott	72f2f3ae62	tidied up scc All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 17:04:35 +11:00
Conan Scott	db66e50820	Add Vault RBAC for SCC All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 04:41:05 +00:00
Conan Scott	215857128a	Add Vault SCC with priority 20 All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 04:40:57 +00:00
Conan Scott	5fc083961a	Enforce runAsUser 100 for Vault server All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 04:24:28 +00:00
Conan Scott	65c1f128c0	Add RBAC for Vault restricted SCC All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 04:24:17 +00:00
Conan Scott	e6e1970ca1	Add restricted SCC for Vault All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-14 04:24:08 +00:00
Conan Scott	a7d56dea82	more indentation issues All checks were successful continuous-integration/publish-helm Helm publish succeeded	2026-01-13 16:25:51 +11:00
Conan Scott	1f0c5327bf	fixed formatting	2026-01-13 16:24:32 +11:00