tamalsaha
commented
2 days ago I was able to get things running under restricted security profile using the following chages.
- https://github.com/kluster-manager/ocm/commit/a57ff0b82e668219c6e9c0beb88dfe6c6823739b
- https://github.com/kluster-manager/cluster-proxy/commit/57a5ab2b7f08dbfa5fc1bc517f02b558b90866e7
- https://github.com/kluster-manager/managed-serviceaccount/commit/41ff74b53f394aefb4e2112da43082c8ed503218
- https://github.com/kluster-manager/installer/commit/bea2c655295278b56ae2b2c19c2534e42794d767#diff-e32133c32f6fa4d852347532435258c5c84df0c06c018e7eefa4da6b7bd1510b
By restricted profile, I mean pod-security.kubernetes.io/enforce: restricted label on namespaces.
namespaces=( \
open-cluster-management \
open-cluster-management-addon \
open-cluster-management-agent \
open-cluster-management-agent-addon \
open-cluster-management-cluster-auth \
open-cluster-management-cluster-proxy \
open-cluster-management-hub \
)
for ns in ${namespaces[@]}; do
kubectl create ns $ns
kubectl label ns $ns pod-security.kubernetes.io/enforce=restricted
done
Describe the enhancement currently the scc in the deployments can not be customized, the ocm may could not run under some restricted scc. need an approach to solve ssc .
the related PRs : https://github.com/open-cluster-management-io/ocm/pull/250 https://github.com/open-cluster-management-io/ocm/pull/252