From 3c1254dfbf5a3a2e3d2886ecef2669a76df895fa Mon Sep 17 00:00:00 2001 From: Pan Ousley Date: Thu, 12 Jan 2023 12:37:41 -0500 Subject: [PATCH] CNV-20962: SCC updates for 4.11+ --- ...t-additional-scc-for-kubevirt-controller.adoc | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/modules/virt-additional-scc-for-kubevirt-controller.adoc b/modules/virt-additional-scc-for-kubevirt-controller.adoc index e77ad179f4..f5f7c693dc 100644 --- a/modules/virt-additional-scc-for-kubevirt-controller.adoc +++ b/modules/virt-additional-scc-for-kubevirt-controller.adoc @@ -8,11 +8,9 @@ Security context constraints (SCCs) control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system. -The `kubevirt-controller` is a cluster controller that creates the virt-launcher pods for virtual machines in the cluster. These virt-launcher pods are granted permissions by the `kubevirt-controller` service account. +The `virt-controller` is a cluster controller that creates the `virt-launcher` pods for virtual machines in the cluster. These pods are granted permissions by the `kubevirt-controller` service account. -== Additional SCCs granted to the kubevirt-controller service account - -The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create virt-launcher pods with the appropriate permissions. These extended permissions allow virtual machines to take advantage of {VirtProductName} features that are beyond the scope of typical pods. +The `kubevirt-controller` service account is granted additional SCCs and Linux capabilities so that it can create `virt-launcher` pods with the appropriate permissions. These extended permissions allow virtual machines to use {VirtProductName} features that are beyond the scope of typical pods. The `kubevirt-controller` service account is granted the following SCCs: @@ -22,11 +20,11 @@ This allows virtual machines to use the hostpath volume plug-in. * `scc.AllowPrivilegedContainer = false` + This ensures the virt-launcher pod is not run as a privileged container. -* `scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW", "SYS_NICE"}` + -This provides the following additional Linux capabilities -`NET_ADMIN`, -`NET_RAW`, and -`SYS_NICE`. +* `scc.AllowedCapabilities = []corev1.Capability{"SYS_NICE", "NET_BIND_SERVICE", "SYS_PTRACE"}` + + +** `SYS_NICE` allows setting the CPU affinity. +** `NET_BIND_SERVICE` allows DHCP and Slirp operations. +** `SYS_PTRACE` enables certain versions of `libvirt` to find the process ID (PID) of `swtpm`, a software Trusted Platform Module (TPM) emulator. == Viewing the SCC and RBAC definitions for the kubevirt-controller