-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathibm-restricted-scc.yaml
57 lines (56 loc) · 1.27 KB
/
ibm-restricted-scc.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# This SCC is the most restrictive, and is meant to be a template
# Pass the --validate=false flag when applying
# The ID ranges provided in this template match the PSPs and can be changed
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: ibm-restricted-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowedCapabilities: null
allowedFlexVolumes: null
allowedUnsafeSysctls: null
defaultAddCapabilities: null
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
- "*"
fsGroup:
type: MustRunAs
ranges:
- max: 65535
min: 1
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seccompProfiles:
- docker/default
# This can be customized for seLinuxOptions specific to your host machine
seLinuxContext:
type: RunAsAny
# seLinuxOptions:
# level:
# user:
# role:
# type:
supplementalGroups:
type: MustRunAs
ranges:
- max: 65535
min: 1
# This can be customized to host specifics
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
# If you want a priority on your SCC -- set for a value more than 0
# priority: