From fc0f6a8452ac09017fff93750deb0f9037e6dbc0 Mon Sep 17 00:00:00 2001
From: Chin K <kc.s008@gmail.com>
Date: Tue, 21 Nov 2023 12:01:34 -0500
Subject: [PATCH] :hammer: Add `SecurityContextConstraints` for OpenShift
 (#1451)

* Added OS route

* Openshift Port-changes

* custom-scc

* custom-scc name update

* Revert "custom-scc name update"

This reverts commit 7e6d96c086dfd23292390393c1cfb1f027e64ff4.

* Added pre-install hook

* default port

* worker port update

* Update helm-chart/templates/14-kubeshark-scc.yaml

Co-authored-by: M. Mert Yildiran <mehmetmertyildiran@gmail.com>

* SCC only for openshift - capability added

---------

Co-authored-by: M. Mert Yildiran <mehmetmertyildiran@gmail.com>
Co-authored-by: M. Mert Yildiran <me@mertyildiran.com>
---
 ...penshift-security-context-constraints.yaml | 53 +++++++++++++++++++
 helm-chart/values.yaml                        |  2 +-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 helm-chart/templates/14-openshift-security-context-constraints.yaml

diff --git a/helm-chart/templates/14-openshift-security-context-constraints.yaml b/helm-chart/templates/14-openshift-security-context-constraints.yaml
new file mode 100644
index 000000000..f7f4fc04c
--- /dev/null
+++ b/helm-chart/templates/14-openshift-security-context-constraints.yaml
@@ -0,0 +1,53 @@
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-scc
+priority: 10
+allowPrivilegedContainer: true
+allowHostDirVolumePlugin: true
+allowHostNetwork: true
+allowHostPorts: true
+allowHostPID: true
+allowHostIPC: true
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+allowedCapabilities:
+  - NET_RAW
+  - NET_ADMIN
+  - SYS_ADMIN
+  - SYS_PTRACE
+  - DAC_OVERRIDE
+  - SYS_RESOURCE
+  - CHECKPOINT_RESTORE
+  - SYS_MODULE
+runAsUser:
+  type: RunAsAny
+fsGroup:
+  type: MustRunAs
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+seccompProfiles:
+- '*'
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - secret
+  - hostPath
+  - projected
+  - ephemeral
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:kubeshark-service-account
+{{- end }}
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index a54cf5404..521961a88 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -6,7 +6,7 @@ tap:
     imagePullSecrets: []
   proxy:
     worker:
-      srvPort: 8897
+      srvPort: 30001
     hub:
       port: 8898
       srvPort: 8898