forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
scc.go
37 lines (30 loc) · 1.19 KB
/
scc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package aggregated_logging
import (
"fmt"
"k8s.io/apimachinery/pkg/util/sets"
)
const sccPrivilegedName = "privileged"
var sccPrivilegedNames = sets.NewString(fluentdServiceAccountName)
const sccPrivilegedUnboundServiceAccount = `
The ServiceAccount '%[1]s' does not have a privileged SecurityContextConstraint for project '%[2]s'. As a
user with a cluster-admin role, you can grant the permissions by running
the following:
$ oc adm policy add-scc-to-user privileged system:serviceaccount:%[2]s:%[1]s
`
func checkSccs(r diagnosticReporter, adapter sccAdapter, project string) {
r.Debug("AGL0700", "Checking SecurityContextConstraints...")
scc, err := adapter.getScc(sccPrivilegedName)
if err != nil {
r.Error("AGL0705", err, fmt.Sprintf("There was an error while trying to retrieve the SecurityContextConstraints for the logging stack: %s", err))
return
}
privilegedUsers := sets.NewString()
for _, user := range scc.Users {
privilegedUsers.Insert(user)
}
for _, name := range sccPrivilegedNames.List() {
if !privilegedUsers.Has(fmt.Sprintf("system:serviceaccount:%s:%s", project, name)) {
r.Error("AGL0710", nil, fmt.Sprintf(sccPrivilegedUnboundServiceAccount, name, project))
}
}
}