88 lines
2.5 KiB
YAML
88 lines
2.5 KiB
YAML
# scc for the Rook and Ceph daemons
|
|
# for creating cluster in openshift
|
|
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
|
|
kind: SecurityContextConstraints
|
|
apiVersion: security.openshift.io/v1
|
|
metadata:
|
|
name: rook-ceph
|
|
allowPrivilegedContainer: true
|
|
allowHostDirVolumePlugin: true
|
|
allowHostPID: false
|
|
# set to true if running rook with host networking enabled
|
|
allowHostNetwork: false
|
|
# set to true if running rook with the provider as host
|
|
allowHostPorts: false
|
|
priority:
|
|
allowedCapabilities: ["MKNOD"]
|
|
allowHostIPC: true
|
|
readOnlyRootFilesystem: false
|
|
# drop all default privileges
|
|
requiredDropCapabilities: ["All"]
|
|
defaultAddCapabilities: []
|
|
runAsUser:
|
|
type: RunAsAny
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
fsGroup:
|
|
type: MustRunAs
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- hostPath
|
|
- persistentVolumeClaim
|
|
- projected
|
|
- secret
|
|
users:
|
|
# A user needs to be added for each rook service account.
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-system
|
|
---
|
|
# scc for the CSI driver
|
|
kind: SecurityContextConstraints
|
|
apiVersion: security.openshift.io/v1
|
|
metadata:
|
|
name: rook-ceph-csi
|
|
# To allow running privilegedContainers
|
|
allowPrivilegedContainer: true
|
|
# CSI daemonset pod needs hostnetworking
|
|
allowHostNetwork: true
|
|
# This need to be set to true as we use HostPath
|
|
allowHostDirVolumePlugin: true
|
|
priority:
|
|
# SYS_ADMIN is needed for rbd to execute rbd map command
|
|
allowedCapabilities: ["SYS_ADMIN"]
|
|
# Needed as we run liveness container on daemonset pods
|
|
allowHostPorts: true
|
|
# Needed as we are setting this in RBD plugin pod
|
|
allowHostPID: true
|
|
# Required for encryption
|
|
allowHostIPC: true
|
|
# Set to false as we write to RootFilesystem inside csi containers
|
|
readOnlyRootFilesystem: false
|
|
runAsUser:
|
|
type: RunAsAny
|
|
seLinuxContext:
|
|
type: RunAsAny
|
|
fsGroup:
|
|
type: RunAsAny
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
# The type of volumes which are mounted to csi pods
|
|
volumes:
|
|
- configMap
|
|
- projected
|
|
- emptyDir
|
|
- hostPath
|
|
users:
|
|
# A user needs to be added for each rook service account.
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-rbd-plugin-sa
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-rbd-provisioner-sa
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-cephfs-plugin-sa
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-cephfs-provisioner-sa
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-nfs-plugin-sa
|
|
- system:serviceaccount:{{ .Release.Namespace }}:rook-csi-nfs-provisioner-sa
|
|
---
|
|
{{- end }}
|