--- kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: "{{ .Prefix }}ceph-csi" # To allow running privilegedContainers allowPrivilegedContainer: true # CSI daemonset pod needs hostnetworking allowHostNetwork: true # This need to be set to true as we use HostPath allowHostDirVolumePlugin: true priority: # SYS_ADMIN is needed for rbd to execute rbd map command allowedCapabilities: ["SYS_ADMIN"] # Needed as we run liveness container on daemonset pods allowHostPorts: true # Needed as we are setting this in RBD plugin pod allowHostPID: true # Required for encryption allowHostIPC: true # Set to false as we write to RootFilesystem inside csi containers readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny fsGroup: type: RunAsAny supplementalGroups: type: RunAsAny # The type of volumes which are mounted to csi pods volumes: - configMap - projected - emptyDir - hostPath users: # A user needs to be added for each service account. - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-plugin-sa" - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-provisioner-sa" - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-plugin-sa" # yamllint disable-line rule:line-length - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-provisioner-sa" - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-nfs-plugin-sa" - "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-nfs-provisioner-sa"