Zyklus 1 - Historie - Using SCC anyuid in OKD-OpenShift - Kube-faq - Stickie~Box pflaeging.net

Using SCC anyuid in OKD-OpenShift » Historie » Zyklus 1

Peter Pfläging, 21.07.2021 19:52

-Peter Pfläging
+# OKD  Openshift SCC AnyUID
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: system:openshift:scc:anyuid
   namespace: mysupercoolnamespace
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:openshift:scc:anyuid
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: mysupercoolnamespace
 ---
 kind: SecurityContextConstraints
 apiVersion: security.openshift.io/v1
 metadata:
   annotations:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
     release.openshift.io/create-only: "true"
   name: anyuid
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: false
 allowedCapabilities: null
 defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups:
 - system:cluster-admins
 priority: 10
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
 - MKNOD
 runAsUser:
   type: RunAsAny
 seLinuxContext:
   type: MustRunAs
 supplementalGroups:
   type: RunAsAny
 users: []
 volumes:
 - configMap
 - downwardAPI
 - emptyDir
 - persistentVolumeClaim
 - projected
 ```