Skip to content

Instantly share code, notes, and snippets.

@flyingbarron
Last active October 6, 2020 08:03
Show Gist options
  • Save flyingbarron/e78812ccef242a19caf4fe91c9c662be to your computer and use it in GitHub Desktop.
Save flyingbarron/e78812ccef242a19caf4fe91c9c662be to your computer and use it in GitHub Desktop.
# gremlin-scc.yaml
---
apiVersion: security.openshift.io/v1
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: true
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- ALL
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: 'gremlin provides all the features of the
restricted SCC but allows host mounts, any UID by a pod, and forces
the process to run as the gremlin.process SELinux type. This is intended
to be used solely by Gremlin. WARNING: this SCC allows host file
system access as any UID, including UID 0. Grant with caution.'
name: gremlin
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
type: RunAsAny
seLinuxContext:
seLinuxOptions:
type: gremlin.process
type: MustRunAs
seccompProfiles:
- unconfined
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- emptyDir
- hostPath
- persistentVolumeClaim
- secret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment