github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-13 14:17:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔨 Add SecurityContextConstraints for OpenShift (#1451)

Browse Source 
* Added OS route

* Openshift Port-changes

* custom-scc

* custom-scc name update

* Revert "custom-scc name update"

This reverts commit 7e6d96c086.

* Added pre-install hook

* default port

* worker port update

* Update helm-chart/templates/14-kubeshark-scc.yaml

Co-authored-by: M. Mert Yildiran <mehmetmertyildiran@gmail.com>

* SCC only for openshift - capability added

---------

Co-authored-by: M. Mert Yildiran <mehmetmertyildiran@gmail.com>
Co-authored-by: M. Mert Yildiran <me@mertyildiran.com>
This commit is contained in:
Chin K 2023-11-21 12:01:34 -05:00 committed by GitHub
parent cc9dbbef2e
commit fc0f6a8452
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
helm-chart/templates/14-openshift-security-context-constraints.yaml Normal file
View File

@ -0,0 +1,53 @@
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
labels:
{{- include "kubeshark.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
{{- if .Values.tap.annotations }}
{{- toYaml .Values.tap.annotations | nindent 4 }}
{{- end }}
name: kubeshark-scc
priority: 10
allowPrivilegedContainer: true
allowHostDirVolumePlugin: true
allowHostNetwork: true
allowHostPorts: true
allowHostPID: true
allowHostIPC: true
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
allowedCapabilities:
- NET_RAW
- NET_ADMIN
- SYS_ADMIN
- SYS_PTRACE
- DAC_OVERRIDE
- SYS_RESOURCE
- CHECKPOINT_RESTORE
- SYS_MODULE
runAsUser:
type: RunAsAny
fsGroup:
type: MustRunAs
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
seccompProfiles:
- '*'
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- hostPath
- projected
- ephemeral
users:
- system:serviceaccount:{{ .Release.Namespace }}:kubeshark-service-account
{{- end }}

2
helm-chart/values.yaml
View File

@ -6,7 +6,7 @@ tap:
imagePullSecrets: [] imagePullSecrets: []
proxy: proxy:
worker: worker:
srvPort: 8897 srvPort: 30001
hub: hub:
port: 8898 port: 8898
srvPort: 8898 srvPort: 8898