Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Openshift 4.11 Pod security standards #260

Closed
wants to merge 1 commit into from
Closed

WIP: Openshift 4.11 Pod security standards #260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions gitops/argocd/tektoncd/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
kind: ClusterRole
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the key question is if this ClusterRole needs to be created on the workload cluster, or if it needs to be created in KCP.

apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pipelines-scc-clusterrole
rules:
- verbs:
- use
apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- pipelines-scc-v2
2 changes: 2 additions & 0 deletions gitops/argocd/tektoncd/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,5 @@ resources:
- allow-argocd-to-manage.yaml
- openshift-operator.yaml
- tekton-config.yaml
- clusterrole.yaml
- pipelines-scc-v2.yaml
45 changes: 45 additions & 0 deletions gitops/argocd/tektoncd/pipelines-scc-v2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
allowHostPorts: false
priority: 10
requiredDropCapabilities:
- MKNOD
allowPrivilegedContainer: false
runAsUser:
type: RunAsAny
users: []
allowHostDirVolumePlugin: false
allowHostIPC: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: 'true'
include.release.openshift.io/self-managed-high-availability: 'true'
include.release.openshift.io/single-node-developer: 'true'
Comment on lines +17 to +19
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need these - these are special annotations used by OLM for OpenShift (I believe)

kubernetes.io/description: >-
pipelines-scc-v2 is a close replica of pipelines-scc scc. pipelines-scc-v2 has allowPrivilegeEscalation=false.
release.openshift.io/create-only: 'true'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise - I don' think we need this, since ArgoCD is going to be doing the syncing.

generation: 1
name: pipelines-scc-v2
fsGroup:
type: MustRunAs
groups:
- 'system:cluster-admins'
kind: SecurityContextConstraints
defaultAddCapabilities: null
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: false
apiVersion: security.openshift.io/v1
allowedCapabilities:
- SETFCAP