summaryrefslogtreecommitdiffstats
path: root/setup/configs/security.yml
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
commit69adb23c59e991ddcabf5cfce415fd8b638dbc1a (patch)
tree8693e708f751923f6f7f9dd48004303bebb4e126 /setup/configs/security.yml
parent1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 (diff)
downloadands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.gz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.bz2
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.xz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.zip
Improve handling of filesystem permissions and other fixes
Diffstat (limited to 'setup/configs/security.yml')
-rw-r--r--setup/configs/security.yml28
1 files changed, 19 insertions, 9 deletions
diff --git a/setup/configs/security.yml b/setup/configs/security.yml
index b870c55..22784b3 100644
--- a/setup/configs/security.yml
+++ b/setup/configs/security.yml
@@ -1,26 +1,36 @@
-ands_openshift_gid_mode:
- ands_default: "MustRunAs"
-# sample: "RunAsAny"
-
-#ands_openshift_uid_mode:
-# ands_default: "MustRunAsRange"
+#The SCC is global, not per project.
+# It is better to work with groups.
+#ands_openshift_uid_mode: "MustRunAsRange"
+# Allow setting the required fsGroup in pod-specification (default is MustRunAs).
+# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail.
+# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group).
+# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph).
+# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'.
+# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected.
+# - gid=0 is also always in
+# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing.
+#ands_openshift_gid_mode: "RunAsAny"
+#To enforce the range specified in the project configuration.
+# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected.
+ands_openshift_groups_mode: "MustRunAs"
#ands_openshift_uid_ranges:
ands_openshift_gid_ranges:
kaas: "4000/10"
katrin: "5000/10"
- test: "7100/10"
adei: "6000/10"
bora: "6100/10"
web: "6200/10"
mon: "7000/10"
+ test: "7100/10"
+# The default user and group mentioned in some projects
ands_openshift_uids:
- kaas: { id: 6000 }
+ kaas: { id: 4000 }
ands_openshift_gids:
- kaas: { id: 6000 }
+ kaas: { id: 4000 }
ands_default_file_group: root
ands_default_file_owner: root