61 lines
1.4 KiB
YAML
61 lines
1.4 KiB
YAML
{{- if .Values.nodeAgent.scc.enabled }}
|
|
allowHostDirVolumePlugin: true
|
|
# was true
|
|
allowHostIPC: true
|
|
# was true
|
|
allowHostNetwork: true
|
|
# Allow host PID for dogstatsd origin detection
|
|
allowHostPID: true
|
|
# Allow host ports for dsd / trace / logs intake
|
|
allowHostPorts: true
|
|
allowPrivilegeEscalation: true
|
|
# was true
|
|
allowPrivilegedContainer: true
|
|
# was - '*'
|
|
allowedCapabilities: []
|
|
allowedUnsafeSysctls:
|
|
- '*'
|
|
apiVersion: security.openshift.io/v1
|
|
defaultAddCapabilities: null
|
|
fsGroup:
|
|
# was RunAsAny
|
|
type: MustRunAs
|
|
groups: []
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
name: {{ .Release.Name }}-node-agent
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "stackstate-k8s-agent.global.extraLabels" . | indent 4 }}
|
|
annotations:
|
|
{{ include "stackstate-k8s-agent.global.extraAnnotations" . | indent 4 }}
|
|
priority: null
|
|
readOnlyRootFilesystem: false
|
|
requiredDropCapabilities: null
|
|
# was RunAsAny
|
|
runAsUser:
|
|
type: MustRunAsRange
|
|
# Use the `spc_t` selinux type to access the
|
|
# docker socket + proc and cgroup stats
|
|
seLinuxContext:
|
|
type: RunAsAny
|
|
seLinuxOptions:
|
|
user: "system_u"
|
|
role: "system_r"
|
|
type: "spc_t"
|
|
level: "s0"
|
|
# was - '*'
|
|
seccompProfiles: []
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
users:
|
|
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-node-agent
|
|
# Allow hostPath for docker / process metrics
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- hostPath
|
|
- secret
|
|
{{- end }}
|