flux2
flux2 copied to clipboard
OpenShift SCC in declarative form
Currently OpenShift docs have this:
for i in ${!FLUX_CONTROLLERS[@]}; do
oc adm policy add-scc-to-user nonroot system:serviceaccount:${FLUX_NAMESPACE}:${FLUX_CONTROLLERS[$i]}
done
This can be expressed as a role:
apiVersion: "rbac.authorization.k8s.io/v1"
kind: "ClusterRole"
metadata: name: string
rules: {
apiGroups: [
"security.openshift.io",
]
resources: [
"securitycontextconstraints",
]
resourceNames: [
"nonroot",
]
verbs: [
"use",
]
}
I based the above on something I wrote for Cilium here: https://github.com/cilium/cilium-olm/blob/d595d9b949ee9eab66968cd5e32636bb79f2fe9d/config/operator/rbac.cue#L50-L66
Happy to make a PR to the docs with an expanded YAML version once I have a bit of time.
Hey @errordeveloper so with this cluster role instead of running a command for each controller SA, people can just do a kubectl apply? If so then I think it's a great UX improvement.
@stefanprodan exactly :)
@errordeveloper can you please post on #4625 the exact YAML that would work for Flux?
Could this be something flux does on bootstrap?
Adding that SCC YAML to the repo before bootstrap should be straight forward https://fluxcd.io/flux/installation/configuration/boostrap-customization/