Jason Dobies is a RH SW engineer who provides tech support to partners. I spoke w/ him at Kubecon and described the security context situation. He said often the need for elevated security context can be avoided by changing directory permissions in the container. This might be a way to avoid the need for the any_uid SCC grant for Standbys and Followers.
The need for the special "cluster_reader" grant to HAProxy can be avoided if its configuration files are generated externally, using the system:admin's credentials and copying the config files into the container. That would also address reconfiguration on failover w/o deleting/creating or restarting the container. And it would eliminate the need to install kubectl and all its dependencies in the build.
The need for the any_uid SCC grant for application's authenticator.rb is also provoked by directory permissions for the access token file /run/conjur/access-token.
Jason Dobies is a RH SW engineer who provides tech support to partners. I spoke w/ him at Kubecon and described the security context situation. He said often the need for elevated security context can be avoided by changing directory permissions in the container. This might be a way to avoid the need for the any_uid SCC grant for Standbys and Followers.
The need for the special "cluster_reader" grant to HAProxy can be avoided if its configuration files are generated externally, using the system:admin's credentials and copying the config files into the container. That would also address reconfiguration on failover w/o deleting/creating or restarting the container. And it would eliminate the need to install kubectl and all its dependencies in the build.
The need for the any_uid SCC grant for application's authenticator.rb is also provoked by directory permissions for the access token file /run/conjur/access-token.