Last active
August 27, 2025 17:21
-
-
Save laurobmb/165fad2b8ecfd13f84709f4b03e797c3 to your computer and use it in GitHub Desktop.
YAMLs for create pod privileged on red hat openshift
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: privileged-test | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: privileged-sa | |
| namespace: privileged-test | |
| --- | |
| # Role para permitir uso básico de pods | |
| kind: Role | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| namespace: privileged-test | |
| name: privileged-role | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["pods", "pods/log"] | |
| verbs: ["get", "list", "watch", "create", "delete"] | |
| --- | |
| # RoleBinding ligando SA ao Role | |
| kind: RoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: privileged-rb | |
| namespace: privileged-test | |
| subjects: | |
| - kind: ServiceAccount | |
| name: privileged-sa | |
| namespace: privileged-test | |
| roleRef: | |
| kind: Role | |
| name: privileged-role | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| # SecurityContextConstraints - só disponível no OpenShift | |
| # Dá permissões privilegiadas para a ServiceAccount | |
| apiVersion: security.openshift.io/v1 | |
| kind: SecurityContextConstraints | |
| metadata: | |
| name: privileged-scc-test | |
| allowPrivilegedContainer: true | |
| allowHostNetwork: true | |
| allowHostDirVolumePlugin: true | |
| runAsUser: | |
| type: RunAsAny | |
| seLinuxContext: | |
| type: RunAsAny | |
| fsGroup: | |
| type: RunAsAny | |
| supplementalGroups: | |
| type: RunAsAny | |
| users: | |
| - system:serviceaccount:privileged-test:privileged-sa | |
| volumes: | |
| - '*' | |
| --- | |
| # Deployment com container privilegiado e hostNetwork | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: privileged-deployment | |
| namespace: privileged-test | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: privileged-pod | |
| template: | |
| metadata: | |
| labels: | |
| app: privileged-pod | |
| spec: | |
| serviceAccountName: privileged-sa | |
| hostNetwork: true | |
| containers: | |
| - name: privileged-container | |
| image: registry.access.redhat.com/ubi8/ubi-minimal | |
| command: ["/bin/sh", "-c", "sleep 3600"] | |
| securityContext: | |
| privileged: true | |
| - name: no-privileged-container | |
| image: registry.access.redhat.com/ubi8/ubi-minimal | |
| command: ["/bin/sh", "-c", "sleep 3600"] | |
| securityContext: | |
| privileged: false | |
| --- | |
| # Deployment com container privilegiado e hostNetwork | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: no-privileged-deployment | |
| namespace: privileged-test | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: privileged-pod | |
| template: | |
| metadata: | |
| labels: | |
| app: privileged-pod | |
| spec: | |
| serviceAccountName: privileged-sa | |
| hostNetwork: true | |
| containers: | |
| - name: no-privileged-container | |
| image: registry.access.redhat.com/ubi8/ubi-minimal | |
| command: ["/bin/sh", "-c", "sleep 3600"] | |
| securityContext: | |
| privileged: false |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
but you should execute this commands too:
oc adm policy add-scc-to-user privileged -z privileged-sa -n privileged-test
oc delete pod -n privileged-test --all
oc rollout restart deployment privileged-deployment -n privileged-test
oc get pod -n privileged-test -o yaml | grep -A5 securityContext