Created
September 20, 2017 09:07
-
-
Save miminar/ce904e6ac9fc6e9a61c84c31f95bab79 to your computer and use it in GitHub Desktop.
Add scc to nfs-provisioner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
saname=`oc get -o jsonpath=$'{.metadata.namespace}:{.spec.serviceAccount}\n' pod nfs-provisioner` | |
oc adm policy add-scc-to-user scc-nfs-provisioner \ | |
'system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
allowHostDirVolumePlugin: false | |
allowHostIPC: false | |
allowHostNetwork: false | |
allowHostPID: false | |
allowHostPorts: false | |
allowPrivilegedContainer: false | |
allowedCapabilities: | |
- DAC_READ_SEARCH | |
- SYS_RESOURCE | |
apiVersion: v1 | |
defaultAddCapabilities: null | |
fsGroup: | |
type: MustRunAs | |
users: | |
kind: SecurityContextConstraints | |
metadata: | |
name: scc-nfs-provisioner | |
priority: null | |
readOnlyRootFilesystem: false | |
requiredDropCapabilities: | |
- KILL | |
- MKNOD | |
- SYS_CHROOT | |
- SETUID | |
- SETGID | |
runAsUser: | |
type: MustRunAsRange | |
seLinuxContext: | |
type: MustRunAs | |
supplementalGroups: | |
type: RunAsAny | |
volumes: | |
- configMap | |
- downwardAPI | |
- emptyDir | |
- persistentVolumeClaim | |
- secret | |
- hostPath |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment