From 0db4e3d9b95314daacfd03d74ba0ad7cf5595213 Mon Sep 17 00:00:00 2001 From: Valters Jansons Date: Fri, 8 Mar 2024 03:45:39 +0200 Subject: [PATCH] Set SCC's `RunAsUser` as `MustRunAsRange` Upstream Helm Chart is removing explicit `runAsUser` value from the Deployment and DaemonSet resources. This practically means the UID will be inherited from image's Dockerfile. Users on vanilla Kubernetes clusters will not observe a change in behavior, unless they have exotic configurations. However, OpenShift does have additional security measures. It suggests using randomized UIDs/GIDs for workloads. To enable this, the custom Security Context Constraint resources are being updated. The `MustRunAsRange` policy is utilized with pre-allocated values (no explicit range min/max), which effectively allows OpenShift to pick its own ranges. --- resources/scc-daemonset.yaml | 3 +-- resources/scc.yaml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/resources/scc-daemonset.yaml b/resources/scc-daemonset.yaml index a2d2f135..ca39d7ad 100644 --- a/resources/scc-daemonset.yaml +++ b/resources/scc-daemonset.yaml @@ -5,8 +5,7 @@ metadata: name: nginx-ingress-admin allowPrivilegedContainer: false runAsUser: - type: MustRunAs - uid: 101 + type: MustRunAsRange seLinuxContext: type: MustRunAs fsGroup: diff --git a/resources/scc.yaml b/resources/scc.yaml index 2f3fa32b..f4881832 100644 --- a/resources/scc.yaml +++ b/resources/scc.yaml @@ -5,8 +5,7 @@ metadata: name: nginx-ingress-admin allowPrivilegedContainer: false runAsUser: - type: MustRunAs - uid: 101 + type: MustRunAsRange seLinuxContext: type: MustRunAs fsGroup: