mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-07-31 00:04:43 +00:00
06e0def53e
Add IPC_LOCK to allowedCapabilities otherwise kubeshark-worker-daemon-set will not deploy.
54 lines
1.1 KiB
YAML
54 lines
1.1 KiB
YAML
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
|
|
apiVersion: security.openshift.io/v1
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
labels:
|
|
{{- include "kubeshark.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
{{- if .Values.tap.annotations }}
|
|
{{- toYaml .Values.tap.annotations | nindent 4 }}
|
|
{{- end }}
|
|
name: kubeshark-scc
|
|
priority: 10
|
|
allowPrivilegedContainer: true
|
|
allowHostDirVolumePlugin: true
|
|
allowHostNetwork: true
|
|
allowHostPorts: true
|
|
allowHostPID: true
|
|
allowHostIPC: true
|
|
readOnlyRootFilesystem: false
|
|
requiredDropCapabilities:
|
|
- MKNOD
|
|
allowedCapabilities:
|
|
- NET_RAW
|
|
- NET_ADMIN
|
|
- SYS_ADMIN
|
|
- SYS_PTRACE
|
|
- DAC_OVERRIDE
|
|
- SYS_RESOURCE
|
|
- SYS_MODULE
|
|
- IPC_LOCK
|
|
runAsUser:
|
|
type: RunAsAny
|
|
fsGroup:
|
|
type: MustRunAs
|
|
seLinuxContext:
|
|
type: RunAsAny
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
seccompProfiles:
|
|
- '*'
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- persistentVolumeClaim
|
|
- secret
|
|
- hostPath
|
|
- projected
|
|
- ephemeral
|
|
users:
|
|
- system:serviceaccount:{{ .Release.Namespace }}:kubeshark-service-account
|
|
{{- end }}
|