diff --git a/charts/lmutil/Chart.yaml b/charts/lmutil/Chart.yaml index 301654f..83b12e6 100644 --- a/charts/lmutil/Chart.yaml +++ b/charts/lmutil/Chart.yaml @@ -15,7 +15,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.5 +version: 0.1.6 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/lmutil/templates/_openshift-scc.tpl b/charts/lmutil/templates/_openshift-scc.tpl index c71b8d9..8d47624 100644 --- a/charts/lmutil/templates/_openshift-scc.tpl +++ b/charts/lmutil/templates/_openshift-scc.tpl @@ -8,6 +8,16 @@ These templates take following arguments: {{- $top := first . -}} {{- $name := (index . 1) -}} {{- $saUsers := (index . 2) -}} +{{- $caps := (list) -}} +{{- if gt (len .) 3 }} +{{- $caps = concat $caps (index . 3) -}} +{{- end }} +{{- if not (has "NET_RAW" $caps) }} +{{- $caps = append $caps "NET_RAW" }} +{{- end }} +{{- if not (has "NET_BIND_SERVICE" $caps) }} +{{- $caps = append $caps "NET_BIND_SERVICE" }} +{{- end }} {{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}} allowHostDirVolumePlugin: false allowHostIPC: false @@ -16,9 +26,7 @@ allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false -allowedCapabilities: - - NET_BIND_SERVICE - - NET_RAW +allowedCapabilities: {{ toYaml $caps | nindent 2 }} apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: @@ -77,6 +85,13 @@ These templates take following arguments: {{- $top := first . -}} {{- $name := (index . 1) -}} {{- $saUsers := (index . 2) -}} +{{- $caps := (list) -}} +{{- if gt (len .) 3 }} +{{- $caps = concat $caps (index . 3) -}} +{{- end }} +{{- if not (has "NET_RAW" $caps) }} +{{- $caps = append $caps "NET_RAW" }} +{{- end }} {{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}} allowHostDirVolumePlugin: false allowHostIPC: false @@ -85,8 +100,7 @@ allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false -allowedCapabilities: - - NET_RAW +allowedCapabilities: {{ toYaml $caps | nindent 2 }} apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: