mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 00:48:01 +01:00
89 lines
2.4 KiB
Plaintext
89 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/compliance_operator/co-scans/compliance-operator-advanced.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="compliance-custom-scc_{context}"]
|
|
= Creating a custom SCC for the Compliance Operator
|
|
|
|
In some environments, you must create a custom Security Context Constraints (SCC) file to ensure the correct permissions are available to the Compliance Operator `api-resource-collector`.
|
|
|
|
.Prerequisites
|
|
|
|
* You must have `admin` privileges.
|
|
|
|
.Procedure
|
|
. Define the SCC in a YAML file named `restricted-adjusted-compliance.yaml`:
|
|
+
|
|
.`SecurityContextConstraints` object definition
|
|
[source,yaml]
|
|
----
|
|
allowHostDirVolumePlugin: false
|
|
allowHostIPC: false
|
|
allowHostNetwork: false
|
|
allowHostPID: false
|
|
allowHostPorts: false
|
|
allowPrivilegeEscalation: true
|
|
allowPrivilegedContainer: false
|
|
allowedCapabilities: null
|
|
apiVersion: security.openshift.io/v1
|
|
defaultAddCapabilities: null
|
|
fsGroup:
|
|
type: MustRunAs
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
name: restricted-adjusted-compliance
|
|
priority: 30 <1>
|
|
readOnlyRootFilesystem: false
|
|
requiredDropCapabilities:
|
|
- KILL
|
|
- SETUID
|
|
- SETGID
|
|
- MKNOD
|
|
runAsUser:
|
|
type: MustRunAsRange
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
users:
|
|
- system:serviceaccount:openshift-compliance:api-resource-collector <2>
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- persistentVolumeClaim
|
|
- projected
|
|
- secret
|
|
----
|
|
<1> The priority of this SCC must be higher than any other SCC that applies to the `system:authenticated` group.
|
|
<2> Service Account used by Compliance Operator Scanner pod.
|
|
|
|
. Create the SCC:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -n openshift-compliance -f restricted-adjusted-compliance.yaml
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
securitycontextconstraints.security.openshift.io/restricted-adjusted-compliance created
|
|
----
|
|
|
|
.Verification
|
|
. Verify the SCC was created:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get -n openshift-compliance scc restricted-adjusted-compliance
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
|
|
restricted-adjusted-compliance false <no value> MustRunAs MustRunAsRange MustRunAs RunAsAny 30 false ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
|
|
----
|