gistfile1.txt

#!/bin/bash
set -eu

# Make sure to do this first for Openshift
if [[ "${SKIP_SA:-no}" != "no" ]]; then
    echo "Skipping service account creation"
fi

NAMESPACE=calyptia

echo "Setting up SCC and associated service account in $NAMESPACE"

cat << EOF | kubectl apply -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: calyptia-core-scc
allowHostPorts: false
priority: null
requiredDropCapabilities:
  - CHOWN
  - DAC_OVERRIDE
  - FSETID
  - FOWNER
  - SETGID
  - SETUID
  - SETPCAP
  - NET_BIND_SERVICE
  - KILL
allowPrivilegedContainer: false
runAsUser:
  type: RunAsAny
users: []
allowHostDirVolumePlugin: true
allowHostIPC: false
forbiddenSysctls:
  - '*'
seLinuxContext:
  type: RunAsAny
readOnlyRootFilesystem: false
fsGroup:
  type: RunAsAny
groups: []
defaultAddCapabilities: null
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - emptyDir
  - hostPath
  - secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: false
allowedCapabilities: null
defaultAllowPrivilegeEscalation: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: calyptia-core-role
  namespace: $NAMESPACE
rules:
  - verbs:
      - use
    apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    resourceNames:
      - calyptia-core-scc
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calyptia-core-role-binding
  namespace: $NAMESPACE
subjects:
  - kind: ServiceAccount
    name: calyptia-core
    namespace: $NAMESPACE
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: calyptia-core-role
---
EOF