Skip to content

Commit

Permalink
fix(lmutil): allowd caps in openshift scc (#81)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vkumbhar94
vkumbhar94 authored Feb 8, 2023
1 parent e1418f8 commit 4408921
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 6 deletions.
2 changes: 1 addition & 1 deletion charts/lmutil/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: library
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.5
version: 0.1.6

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
24 changes: 19 additions & 5 deletions charts/lmutil/templates/_openshift-scc.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@ These templates take following arguments:
{{- $top := first . -}}
{{- $name := (index . 1) -}}
{{- $saUsers := (index . 2) -}}
{{- $caps := (list) -}}
{{- if gt (len .) 3 }}
{{- $caps = concat $caps (index . 3) -}}
{{- end }}
{{- if not (has "NET_RAW" $caps) }}
{{- $caps = append $caps "NET_RAW" }}
{{- end }}
{{- if not (has "NET_BIND_SERVICE" $caps) }}
{{- $caps = append $caps "NET_BIND_SERVICE" }}
{{- end }}
{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}}
allowHostDirVolumePlugin: false
allowHostIPC: false
Expand All @@ -16,9 +26,7 @@ allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
- NET_RAW
allowedCapabilities: {{ toYaml $caps | nindent 2 }}
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
Expand Down Expand Up @@ -77,6 +85,13 @@ These templates take following arguments:
{{- $top := first . -}}
{{- $name := (index . 1) -}}
{{- $saUsers := (index . 2) -}}
{{- $caps := (list) -}}
{{- if gt (len .) 3 }}
{{- $caps = concat $caps (index . 3) -}}
{{- end }}
{{- if not (has "NET_RAW" $caps) }}
{{- $caps = append $caps "NET_RAW" }}
{{- end }}
{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}}
allowHostDirVolumePlugin: false
allowHostIPC: false
Expand All @@ -85,8 +100,7 @@ allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_RAW
allowedCapabilities: {{ toYaml $caps | nindent 2 }}
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
Expand Down

0 comments on commit 4408921

Please sign in to comment.