Skip to content

Commit

Permalink
Merge pull request rook#13936 from travisn/default-serviceaccount-scc
Browse files Browse the repository at this point in the history 
security: Operator and Toolbox SCC for default service account on OpenShift
  • Loading branch information
@travisn
travisn authored Mar 18, 2024
2 parents 3a7bbe5 + 3e54055 commit a536b36
Show file tree
Hide file tree
Showing 6 changed files with 11 additions and 3 deletions.
3 changes: 1 addition & 2 deletions deploy/charts/rook-ceph-cluster/templates/securityContextConstraints.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,8 @@ volumes:
- secret
users:
# A user needs to be added for each rook service account.
- system:serviceaccount:{{ .Release.Namespace }}:default
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-default
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-mgr
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-osd
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-rgw
- system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-default
{{- end }}
6 changes: 6 additions & 0 deletions deploy/examples/common-external.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,12 @@ metadata:
name: rook-ceph-cmd-reporter
namespace: rook-ceph-external # namespace:cluster
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rook-ceph-default
namespace: rook-ceph-external # namespace:cluster
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down
1 change: 1 addition & 0 deletions deploy/examples/direct-mount.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ spec:
app: rook-direct-mount
spec:
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: rook-ceph-default
containers:
- name: rook-direct-mount
image: rook/ceph:master
Expand Down
2 changes: 1 addition & 1 deletion deploy/examples/operator-openshift.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ users:
# This assumes running in the default sample "rook-ceph" namespace.
# If other namespaces or service accounts are configured, they need to be updated here.
- system:serviceaccount:rook-ceph:rook-ceph-system # serviceaccount:namespace:operator
- system:serviceaccount:rook-ceph:default # serviceaccount:namespace:cluster
- system:serviceaccount:rook-ceph:rook-ceph-default # serviceaccount:namespace:cluster
- system:serviceaccount:rook-ceph:rook-ceph-mgr # serviceaccount:namespace:cluster
- system:serviceaccount:rook-ceph:rook-ceph-osd # serviceaccount:namespace:cluster
- system:serviceaccount:rook-ceph:rook-ceph-rgw # serviceaccount:namespace:cluster
Expand Down
1 change: 1 addition & 0 deletions deploy/examples/toolbox-operator-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ spec:
app: rook-ceph-tools-operator-image
spec:
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: rook-ceph-default
containers:
- name: rook-ceph-tools-operator-image
image: rook/ceph:master
Expand Down
1 change: 1 addition & 0 deletions deploy/examples/toolbox.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ spec:
app: rook-ceph-tools
spec:
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: rook-ceph-default
containers:
- name: rook-ceph-tools
image: quay.io/ceph/ceph:v18.2.2
Expand Down

0 comments on commit a536b36

Please sign in to comment.