Skip to content

Instantly share code, notes, and snippets.

@williamcaban

williamcaban/00-README.md

Last active August 19, 2021 18:20
Show Gist options
  • Save williamcaban/6bb4133e862837c4ef4ba6deb62997fb to your computer and use it in GitHub Desktop.
Save williamcaban/6bb4133e862837c4ef4ba6deb62997fb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
00-README.md

Example (Privileged deployment with privileges to modify network)

  1. Create namespace & ServiceAccount (see 01-create-ns.yaml)

  2. Assign privileges to ServiceAccount

# Move to the project
oc project net-pod-sa
# assign privileged SCC to SA
oc adm policy add-scc-to-user privileged -z net-pod-sa
  1. Deploy container (see 02-deploy-pod.yaml)
Raw
01-create-ns.yaml
---
apiVersion: v1
kind: Namespace
metadata:
labels:
openshift.io/cluster-monitoring: "true"
name: net-pod
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: net-pod-sa
namespace: net-pod
Raw
02-deploy-pod.yaml
# oc project net-pod-sa
# oc adm policy add-scc-to-user privileged -z net-pod-sa
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: net-pod
namespace: net-pod
labels:
myapp: net-pod
spec:
selector:
matchLabels:
name: net-pod
template:
metadata:
labels:
name: net-pod
spec:
# hostPID: true
# hostNetwork: true
serviceAccountName: net-pod-sa
serviceAccount: net-pod-sa
containers:
- name: net-pod
image: quay.io/wcaban/net-toolbox:latest
# resources:
# limits:
# memory: 200Mi
# cpu: 1000m
# requests:
# cpu: 100m
# memory: 200Mi
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
command:
- /bin/bash
- -c
- sleep infinity
# env:
# - name: key
# value: value
terminationGracePeriodSeconds: 30
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
# updateStrategy:
# rollingUpdate:
# maxUnavailable: 1
# type: RollingUpdate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment