forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
securitycontextconstraints.go
57 lines (54 loc) · 1.98 KB
/
securitycontextconstraints.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package bootstrappolicy
import (
kapi "k8s.io/kubernetes/pkg/api"
)
const (
// SecurityContextConstraintPrivileged is used as the name for the system default privileged scc.
SecurityContextConstraintPrivileged = "privileged"
// SecurityContextConstraintRestricted is used as the name for the system default restricted scc.
SecurityContextConstraintRestricted = "restricted"
)
// GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints
// for system bootstrapping.
func GetBootstrapSecurityContextConstraints(buildControllerUsername string) []kapi.SecurityContextConstraints {
constraints := []kapi.SecurityContextConstraints{
{
ObjectMeta: kapi.ObjectMeta{
Name: SecurityContextConstraintPrivileged,
},
AllowPrivilegedContainer: true,
AllowHostDirVolumePlugin: true,
AllowHostNetwork: true,
AllowHostPorts: true,
AllowHostPID: true,
AllowHostIPC: true,
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyRunAsAny,
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyRunAsAny,
},
Users: []string{buildControllerUsername},
Groups: []string{ClusterAdminGroup, NodesGroup},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: SecurityContextConstraintRestricted,
},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
// This strategy requires that annotations on the namespace which will be populated
// by the admission controller. If namespaces are not annotated creating the strategy
// will fail.
Type: kapi.SELinuxStrategyMustRunAs,
},
RunAsUser: kapi.RunAsUserStrategyOptions{
// This strategy requires that annotations on the namespace which will be populated
// by the admission controller. If namespaces are not annotated creating the strategy
// will fail.
Type: kapi.RunAsUserStrategyMustRunAsRange,
},
Groups: []string{AuthenticatedGroup},
},
}
return constraints
}