Skip to content

Commit

Permalink
added SCC V2 compliance for privileged and rorfs (#542)
Browse files Browse the repository at this point in the history 
* added SCC V2 compliance for privileged and rorfs

Signed-off-by: Nathaniel Graham <[nathaniel.graham@protonmail.com, ngraham@redhat.com]>

* Also make some other desired pod-standards changes

Signed-off-by: Joe Gdaniec <jgdaniec@redhat.com>

---------

Signed-off-by: Nathaniel Graham <[nathaniel.graham@protonmail.com, ngraham@redhat.com]>
Signed-off-by: Joe Gdaniec <jgdaniec@redhat.com>
Co-authored-by: Nathaniel Graham <[nathaniel.graham@protonmail.com, ngraham@redhat.com]>
Co-authored-by: Joe Gdaniec <jgdaniec@redhat.com>
  • Loading branch information
@ngraham20 @joeg-pro
3 people authored Oct 18, 2023
1 parent c445245 commit b0f7b06
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
29 changes: 29 additions & 0 deletions bundle/manifests/multicluster-engine.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2412,7 +2412,29 @@ spec:
metadata:
labels:
control-plane: backplane-operator
ocm-antiaffinity-selector: backplane-operator
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: ocm-antiaffinity-selector
operator: In
values:
- backplane-operator
topologyKey: topology.kubernetes.io/zone
weight: 70
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: ocm-antiaffinity-selector
operator: In
values:
- backplane-operator
topologyKey: kubernetes.io/hostname
weight: 35
containers:
- args:
- --leader-elect
Expand Down Expand Up @@ -2447,12 +2469,19 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: multicluster-engine-operator
terminationGracePeriodSeconds: 10
volumes:
Expand Down
29 changes: 29 additions & 0 deletions config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,29 @@ spec:
metadata:
labels:
control-plane: backplane-operator
ocm-antiaffinity-selector: backplane-operator
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: ocm-antiaffinity-selector
operator: In
values:
- backplane-operator
topologyKey: topology.kubernetes.io/zone
weight: 70
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: ocm-antiaffinity-selector
operator: In
values:
- backplane-operator
topologyKey: kubernetes.io/hostname
weight: 35
containers:
- args:
- --leader-elect
Expand Down Expand Up @@ -56,12 +78,19 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: multicluster-engine-operator
terminationGracePeriodSeconds: 10
volumes:
Expand Down

0 comments on commit b0f7b06

Please sign in to comment.