Skip to content

Commit

Permalink
Set SCC's RunAsUser as MustRunAsRange
Browse files Browse the repository at this point in the history 
Upstream Helm Chart is removing explicit `runAsUser` value from the
Deployment and DaemonSet resources. This practically means the UID
will be inherited from image's Dockerfile.

Users on vanilla Kubernetes clusters will not observe a change in
behavior, unless they have exotic configurations.

However, OpenShift does have additional security measures. It suggests
using randomized UIDs/GIDs for workloads. To enable this, the custom
Security Context Constraint resources are being updated.
The `MustRunAsRange` policy is utilized with pre-allocated values
(no explicit range min/max), which effectively allows OpenShift to
pick its own ranges.
  • Loading branch information
@sigv
sigv committed Apr 22, 2024
1 parent 07ecbd6 commit bf3880e
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 4 deletions.
3 changes: 1 addition & 2 deletions resources/scc-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@ metadata:
name: nginx-ingress-admin
allowPrivilegedContainer: false
runAsUser:
type: MustRunAs
uid: 101
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
fsGroup:
Expand Down
3 changes: 1 addition & 2 deletions resources/scc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@ metadata:
name: nginx-ingress-admin
allowPrivilegedContainer: false
runAsUser:
type: MustRunAs
uid: 101
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
fsGroup:
Expand Down

0 comments on commit bf3880e

Please sign in to comment.