Modify to run in Restricted SCC

(cherry picked from commit 71be71f3a020e1d8f006a834598f470bd977b000)
ibm-messaging · Feb 18, 2021 · debb021 · debb021
1 parent b38e992
commit debb021
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/openshift-app-sample/Dockerfile b/openshift-app-sample/Dockerfile
@@ -30,6 +30,11 @@
  ENV APP_HOME /go/src/openshift-app-sample
  RUN groupadd $APP_USER && useradd -m -g $APP_USER -l $APP_USER
  RUN mkdir -p $APP_HOME
+ # Create the directories the client expects to be present
+ RUN mkdir -p /IBM/MQ/data/errors \
+   && mkdir -p /.mqm \
+   && chmod -R 777 /IBM \
+   && chmod -R 777 /.mqm
  WORKDIR $APP_HOME
  COPY --chown=0:0 --from=builder $APP_HOME/openshift-app-sample $APP_HOME
  COPY --chown=0:0 --from=builder /opt/mqm /opt/mqm

diff --git a/openshift-app-sample/yaml/pod-sample.yaml b/openshift-app-sample/yaml/pod-sample.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: golang-app
-      image: uk.icr.io/golang-sample/golang-app:1.0
+      image: uk.icr.io/golang-sample/golang-app:1.2
   restartPolicy: OnFailure
   imagePullSecrets:
     - name: all-icr-io
diff --git a/openshift-app-sample/yaml/sa-pod-deployer.yaml b/openshift-app-sample/yaml/sa-pod-deployer.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-service-account
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pod-interactions
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/exec"]
+    verbs: ["get", "list", "delete", "patch", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-interactions
+subjects:
+  - kind: User
+    name: my-service-account
+roleRef:
+  kind: Role
+  name: pod-interactions
+  apiGroup: rbac.authorization.k8s.io