Skip to content

Instantly share code, notes, and snippets.

@miminar

miminar/add-scc-to-sa.sh

Created September 20, 2017 09:07
Show Gist options
  • Save miminar/ce904e6ac9fc6e9a61c84c31f95bab79 to your computer and use it in GitHub Desktop.
Save miminar/ce904e6ac9fc6e9a61c84c31f95bab79 to your computer and use it in GitHub Desktop.
Download ZIP
Add scc to nfs-provisioner
Raw
add-scc-to-sa.sh
saname=`oc get -o jsonpath=$'{.metadata.namespace}:{.spec.serviceAccount}\n' pod nfs-provisioner`
oc adm policy add-scc-to-user scc-nfs-provisioner \
'system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>'
Raw
scc-nfs-provisioner.yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities:
- DAC_READ_SEARCH
- SYS_RESOURCE
apiVersion: v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
users:
kind: SecurityContextConstraints
metadata:
name: scc-nfs-provisioner
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SYS_CHROOT
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- hostPath
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment