fedora-coreos-pipeline: drop privileged service account
The FCOS pipeline doesn't require any special privileges, so let's drop the `fcos-sa` service account and the associated SCC.
This commit is contained in:
Jonathan Lebon
dustymabe
parent
1e304a8467
commit
9244b4c122
3 changed files with 0 additions and 50 deletions
|
|
@ -1,10 +1,8 @@
|
||||||
project_name: fedora-coreos-pipeline
|
project_name: fedora-coreos-pipeline
|
||||||
project_description: Fedora CoreOS Pipeline
|
project_description: Fedora CoreOS Pipeline
|
||||||
project_service_account: fcos-sa
|
|
||||||
appowners: []
|
appowners: []
|
||||||
ocp_service_account: root
|
ocp_service_account: root
|
||||||
project_templates:
|
project_templates:
|
||||||
- project.yaml
|
- project.yaml
|
||||||
- group.yaml
|
- group.yaml
|
||||||
- rolebinding.yaml
|
- rolebinding.yaml
|
||||||
- securitycontextconstraints.yaml
|
|
||||||
|
|
|
||||||
|
|
@ -19,13 +19,3 @@
|
||||||
- name: oc apply resources
|
- name: oc apply resources
|
||||||
command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{project_name}}/{{ item }}"
|
command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{project_name}}/{{ item }}"
|
||||||
with_items: "{{ project_templates }}"
|
with_items: "{{ project_templates }}"
|
||||||
|
|
||||||
# create the service account
|
|
||||||
- name: create service account
|
|
||||||
command: "/root/bin/oc create sa {{ project_service_account }} -n {{ project_name }}"
|
|
||||||
register: sa_resource_create
|
|
||||||
failed_when: sa_resource_create.stderr != '' and 'already exists' not in sa_resource_create.stderr
|
|
||||||
|
|
||||||
# apply the anyuid-setfcap SCC to the service account
|
|
||||||
- name: create service account
|
|
||||||
command: "/root/bin/oc adm policy add-scc-to-user anyuid-setfcap -z {{ project_service_account }}"
|
|
||||||
|
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
||||||
allowHostDirVolumePlugin: false
|
|
||||||
allowHostIPC: false
|
|
||||||
allowHostNetwork: false
|
|
||||||
allowHostPID: false
|
|
||||||
allowHostPorts: false
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
allowPrivilegedContainer: false
|
|
||||||
allowedCapabilities: null
|
|
||||||
apiVersion: security.openshift.io/v1
|
|
||||||
defaultAddCapabilities:
|
|
||||||
- CAP_SETFCAP
|
|
||||||
fsGroup:
|
|
||||||
type: RunAsAny
|
|
||||||
groups:
|
|
||||||
- system:cluster-admins
|
|
||||||
kind: SecurityContextConstraints
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/description: custom scc for anyuid + CAP_SETFCAP defaultAddCapability
|
|
||||||
name: anyuid-setfcap
|
|
||||||
priority: 10
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
requiredDropCapabilities:
|
|
||||||
- MKNOD
|
|
||||||
runAsUser:
|
|
||||||
type: RunAsAny
|
|
||||||
seLinuxContext:
|
|
||||||
type: MustRunAs
|
|
||||||
supplementalGroups:
|
|
||||||
type: RunAsAny
|
|
||||||
volumes:
|
|
||||||
- configMap
|
|
||||||
- downwardAPI
|
|
||||||
- emptyDir
|
|
||||||
- persistentVolumeClaim
|
|
||||||
- projected
|
|
||||||
- secret
|
|
||||||
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue