From 0784bc394315d50f424571956a08fe0128f098ac Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 28 Mar 2023 12:00:59 +0100 Subject: [PATCH 1/2] Add example SCC for daemonset --- docs/manual-installation.md | 8 +++++++- docs/openshift-installation.md | 6 +++++- resources/scc-daemonset.yaml | 29 +++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 resources/scc-daemonset.yaml diff --git a/docs/manual-installation.md b/docs/manual-installation.md index 5ba1d76e..6ca9c49b 100644 --- a/docs/manual-installation.md +++ b/docs/manual-installation.md @@ -31,6 +31,12 @@ This will deploy the operator in the `nginx-ingress-operator-system` namespace. 3. `OpenShift` Additional steps: -In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so, please run the following command (assuming you are logged in with administrator access to the cluster): +In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster): `kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.3.1/resources/scc.yaml` + +Alternatively, to create an SCC for NIC daemonsets, please run this command: + +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.3.1/resources/scc-daemonset.yaml` + +You can now deploy the NGINX Ingress Controller instances. diff --git a/docs/openshift-installation.md b/docs/openshift-installation.md index a99ba2e8..f5a9f088 100644 --- a/docs/openshift-installation.md +++ b/docs/openshift-installation.md @@ -19,8 +19,12 @@ OpenShift will install the NGINX Ingress Operator: Additional steps: -In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so, please run the following command (assuming you are logged in with administrator access to the cluster): +In order to deploy NGINX Ingress Controller instances into OpenShift environments, a new SCC is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Ingress service account(s). To do so for NIC deployments, please run the following command (assuming you are logged in with administrator access to the cluster): `kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.3.1/resources/scc.yaml` +Alternatively, to create an SCC for NIC daemonsets, please run this command: + +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-ingress-helm-operator/v1.3.1/resources/scc-daemonset.yaml` + You can now deploy the NGINX Ingress Controller instances. diff --git a/resources/scc-daemonset.yaml b/resources/scc-daemonset.yaml new file mode 100644 index 00000000..d16a470c --- /dev/null +++ b/resources/scc-daemonset.yaml @@ -0,0 +1,29 @@ +# Create SCC for IC resources +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-ingress-admin +allowPrivilegedContainer: true +runAsUser: + type: MustRunAs + uid: 101 +seLinuxContext: + type: MustRunAs +fsGroup: + type: MustRunAs +supplementalGroups: + type: MustRunAs +allowHostNetwork: false +allowHostPID: false +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +readOnlyRootFilesystem: false +volumes: + - secret +defaultAddCapabilities: + - "NET_BIND_SERVICE" +requiredDropCapabilities: + - ALL +users: + - 'system:serviceaccount:*:nginx-ingress' From 71f0406b56526a19bbf9a08bf1a708e8f7e8f52e Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Fri, 26 May 2023 10:46:03 +0100 Subject: [PATCH 2/2] Update for latest changes in NIC --- resources/scc-daemonset.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/scc-daemonset.yaml b/resources/scc-daemonset.yaml index d16a470c..66a218e2 100644 --- a/resources/scc-daemonset.yaml +++ b/resources/scc-daemonset.yaml @@ -3,7 +3,7 @@ kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: nginx-ingress-admin -allowPrivilegedContainer: true +allowPrivilegedContainer: false runAsUser: type: MustRunAs uid: 101 @@ -19,10 +19,10 @@ allowHostPorts: true allowHostDirVolumePlugin: false allowHostIPC: false readOnlyRootFilesystem: false +seccompProfiles: +- runtime/default volumes: - secret -defaultAddCapabilities: - - "NET_BIND_SERVICE" requiredDropCapabilities: - ALL users: