From 9f94f06cf09c17225cf8ff44fc813960116c767f Mon Sep 17 00:00:00 2001 From: Slava Semushin Date: Thu, 7 Sep 2017 19:03:58 +0200 Subject: [PATCH] Grant access to privileged SCC to system:admin user and members of system:masters group. This change improves UX and allows to a member of the sudoer group to, for example, create a privileged pod using impersonation: $ oc create -f privileged.pod --as system:admin --- pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go index 3454055893f5..d47d148cbee3 100644 --- a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go +++ b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go @@ -285,7 +285,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string // GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints. func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[string][]string) { groups := map[string][]string{ - SecurityContextConstraintPrivileged: {ClusterAdminGroup, NodesGroup}, + SecurityContextConstraintPrivileged: {ClusterAdminGroup, NodesGroup, MastersGroup}, SecurityContextConstraintsAnyUID: {ClusterAdminGroup}, SecurityContextConstraintRestricted: {AuthenticatedGroup}, } @@ -293,7 +293,7 @@ func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[strin buildControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraBuildControllerServiceAccountName) pvRecyclerControllerUsername := serviceaccount.MakeUsername(infraNamespace, InfraPersistentVolumeRecyclerControllerServiceAccountName) users := map[string][]string{ - SecurityContextConstraintPrivileged: {buildControllerUsername}, + SecurityContextConstraintPrivileged: {SystemAdminUsername, buildControllerUsername}, SecurityContextConstraintHostMountAndAnyUID: {pvRecyclerControllerUsername}, } return groups, users