49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
{{- if .Values.platform.openshift }}
|
|
apiVersion: security.openshift.io/v1
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
labels:
|
|
{{- include "gpu-operator.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: "gpu-operator"
|
|
annotations:
|
|
kubernetes.io/description: restricted denies access to all host features and requires
|
|
pods to be run with a UID, read-only root filesystem and SELinux context that are
|
|
allocated to the namespace. This SCC is more restrictive than the default
|
|
restrictive SCC and it is used by default for authenticated users and operators and operands.
|
|
name: restricted-readonly
|
|
allowHostDirVolumePlugin: false
|
|
allowHostIPC: false
|
|
allowHostNetwork: false
|
|
allowHostPID: false
|
|
allowHostPorts: false
|
|
allowPrivilegeEscalation: true
|
|
allowPrivilegedContainer: false
|
|
allowedCapabilities: []
|
|
defaultAddCapabilities: []
|
|
fsGroup:
|
|
type: MustRunAs
|
|
groups:
|
|
- system:authenticated
|
|
priority: 0
|
|
readOnlyRootFilesystem: true
|
|
requiredDropCapabilities:
|
|
- KILL
|
|
- MKNOD
|
|
- SETUID
|
|
- SETGID
|
|
runAsUser:
|
|
type: MustRunAsRange
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
users:
|
|
- system:serviceaccount:{{ $.Release.Namespace }}:gpu-operator
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- persistentVolumeClaim
|
|
- projected
|
|
- secret
|
|
{{- end }}
|