Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cherry-pick] add scc and update deployment #5940

Merged
merged 1 commit into from
Jul 3, 2024
Merged

[cherry-pick] add scc and update deployment #5940

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/content/usage-reporting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,10 @@ Download and save the deployment file [cluster-connector.yaml](https://raw.githu
- `-nms-server-address` should be the address of the Usage Reporting API, which will be the combination of NGINX Management Suite server hostname and the URI `api/platform/v1`
- `nms-basic-auth-secret` should be the namespace/name of the secret created in step 3: `nginx-cluster-connector/nms-basic-auth`.

{{< note >}} OpenShift requires a SecurityContextConstraints object for NGINX Cluster Connector.

It can be created with the command `oc create -f scc.yaml`, using the file found in `shared-examples/` {{< /note >}}

For more information, read the [Command-line arguments](#command-line-arguments) section of this page.

---
Expand Down
123 changes: 69 additions & 54 deletions examples/shared-examples/usage-reporting/cluster-connector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,65 +14,76 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nginx-cluster-connector
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- security.openshift.io
verbs:
- create
- delete
- get
- use
resources:
- securitycontextconstraints
resourceNames:
- nginx-cluster-connector
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nginx-cluster-connector
subjects:
- kind: ServiceAccount
name: nginx-cluster-connector
namespace: nginx-cluster-connector
- kind: ServiceAccount
name: nginx-cluster-connector
namespace: nginx-cluster-connector
roleRef:
kind: ClusterRole
name: nginx-cluster-connector
Expand All @@ -95,8 +106,11 @@ spec:
spec:
serviceAccountName: nginx-cluster-connector
automountServiceAccountToken: true
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.1.0
- image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.2.0
imagePullPolicy: IfNotPresent
name: nginx-cluster-connector
resources:
Expand All @@ -107,6 +121,7 @@ spec:
# cpu: "1"
# memory: "1Gi"
securityContext:
allowPrivilegeEscalation: false
runAsUser: 101 #nginx
runAsNonRoot: true
capabilities:
Expand Down
30 changes: 30 additions & 0 deletions examples/shared-examples/usage-reporting/scc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: nginx-cluster-connector
allowPrivilegedContainer: false
runAsUser:
type: MustRunAs
uid: 101
seLinuxContext:
type: MustRunAs
fsGroup:
type: MustRunAs
supplementalGroups:
type: MustRunAs
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowHostDirVolumePlugin: false
allowHostIPC: false
readOnlyRootFilesystem: false
seccompProfiles:
- runtime/default
volumes:
- secret
requiredDropCapabilities:
- ALL
users:
- 'system:serviceaccount:*:nginx-cluster-connector'
allowedCapabilities:
- NET_BIND_SERVICE