openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Merge pull request #54725 from openshift-cherrypick-robot/cherry-pick-54600-to-enterprise-4.12

Browse Source 
[enterprise-4.12] CNV-20962: SCC updates for 4.11+
This commit is contained in:
Pan Ousley
2023-01-16 11:46:11 -05:00
committed by GitHub
parent 407b766072 3c1254dfbf
commit 4ba6360b52
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/virt-additional-scc-for-kubevirt-controller.adoc
View File

@@ -8,11 +8,9 @@
Security context constraints (SCCs) control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.
The `kubevirt-controller` is a cluster controller that creates the virt-launcher pods for virtual machines in the cluster. These virt-launcher pods are granted permissions by the `kubevirt-controller` service account.
The `virt-controller` is a cluster controller that creates the `virt-launcher` pods for virtual machines in the cluster. These pods are granted permissions by the `kubevirt-controller` service account.
== Additional SCCs granted to the kubevirt-controller service account
The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create virt-launcher pods with the appropriate permissions. These extended permissions allow virtual machines to take advantage of {VirtProductName} features that are beyond the scope of typical pods.
The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create `virt-launcher` pods with the appropriate permissions. These extended permissions allow virtual machines to use {VirtProductName} features that are beyond the scope of typical pods.
The `kubevirt-controller` service account is granted the following SCCs:
@@ -22,11 +20,11 @@ This allows virtual machines to use the hostpath volume plug-in.
* `scc.AllowPrivilegedContainer = false` +
This ensures the virt-launcher pod is not run as a privileged container.
* `scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW", "SYS_NICE"}` +
This provides the following additional Linux capabilities
`NET_ADMIN`,
`NET_RAW`, and
`SYS_NICE`.
* `scc.AllowedCapabilities = []corev1.Capability{"SYS_NICE", "NET_BIND_SERVICE", "SYS_PTRACE"}` +
** `SYS_NICE` allows setting the CPU affinity.
** `NET_BIND_SERVICE` allows DHCP and Slirp operations.
** `SYS_PTRACE` enables certain versions of `libvirt` to find the process ID (PID) of `swtpm`, a software Trusted Platform Module (TPM) emulator.
== Viewing the SCC and RBAC definitions for the kubevirt-controller