Skip to content

Commit

Permalink
fix: Add Security context constrint for openshift
Browse files Browse the repository at this point in the history
Signed-off-by: Diego Alfonso <dalfonso@vmware.com>
  • Loading branch information
odinnordico committed Oct 3, 2023
1 parent 787d0ca commit 582805b
Show file tree
Hide file tree
Showing 5 changed files with 110 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ jobs:
cp NOTICE "bundle/NOTICE"
cp VERSION "bundle/VERSION"
cp config/carvel/bundle.yaml "bundle/bundle.yaml"
cp config/carvel/bundle.yaml "bundle/openshift.yaml"
cp -r samples "bundle/samples"
echo "##[group]Build Service Bindings"
Expand Down
83 changes: 83 additions & 0 deletions config/carvel/openshift.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
#@ load("@ytt:data", "data")

#@ kubernetes_distribution = ""
#@ if hasattr(data.values, 'kubernetes_distribution'):
#@ kubernetes_distribution = data.values.kubernetes_distribution
#@ end
#@ if hasattr(data.values, 'shared') and hasattr(data.values.shared, 'kubernetes_distribution'):
#@ kubernetes_distribution = data.values.shared.kubernetes_distribution
#@ end

#@ if kubernetes_distribution == "openshift":
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: service-binding-nonroot-scc
namespace: service-bindings
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- service-binding-scc
resources:
- securitycontextconstraints
verbs:
- use
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: service-binding-nonroot-scc
namespace: service-bindings
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: service-binding-nonroot-scc
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:service-bindings
---
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
name: service-binding-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
seccompProfiles:
- runtime/default
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
#@ end
2 changes: 2 additions & 0 deletions config/carvel/package-install.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,5 @@ service_account_name: service-binding-kc
cluster_role_name: service-binding-kc
cluster_role_binding_name: service-binding-kc
sync_period: 10m
shared:
kubernetes_distribution: null
23 changes: 23 additions & 0 deletions config/carvel/package-install.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,25 @@
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("@ytt:base64", "base64")
#@ load("@ytt:yaml", "yaml")

#@ def collect_values():
#@ values = {}
#@ if hasattr(data.values, "shared"):
#@ values["shared"] = data.values.shared
#@ end
#@ return values
#@ end

---
apiVersion: v1
kind: Secret
metadata:
name: service-bindings-values
namespace: #@ data.values.namespace
stringData:
values.yaml: #@ yaml.encode(collect_values())

---
apiVersion: packaging.carvel.dev/v1alpha1
Expand All @@ -22,6 +41,10 @@ spec:
#@ if data.values.package_prerelease != None:
prereleases: #@ data.values.package_prerelease
#@ end
values:
- secretRef:
name: service-bindings-values


---
apiVersion: kapp.k14s.io/v1alpha1
Expand Down
1 change: 1 addition & 0 deletions config/carvel/package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@ spec:
paths:
- "-"
- bundle.yaml
- openshift.yaml
deploy:
- kapp: {}

0 comments on commit 582805b

Please sign in to comment.