Add SCC to support Openshift

Add changes in CHANGELOG and update README.md Signed-off-by: Alvaro Iradier <[email protected]>
falcosecurity · Jul 17, 2020 · 938921b · 938921b
1 parent b9129e3
commit 938921b
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 1 deletion.
diff --git a/falco/CHANGELOG.md b/falco/CHANGELOG.md
@@ -3,6 +3,12 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v1.2.1
+
+### Minor Changes
+
+* Add SecurityContextConstraint to allow deploying in Openshift
+
 ## v1.2.0
 
 ### Minor Changes

diff --git a/falco/Chart.yaml b/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: falco
-version: 1.2.0
+version: 1.2.1
 appVersion: 0.24.0
 description: Falco
 keywords:

diff --git a/falco/README.md b/falco/README.md
@@ -138,6 +138,7 @@ The following table lists the configurable parameters of the Falco chart and the
 | `nodeSelector`                                  | The node selection constraint                                                                                      | `{}`                                                                                                                                      |
 | `affinity`                                      | The affinity constraint                                                                                            | `{}`                                                                                                                                      |
 | `tolerations`                                   | The tolerations for scheduling                                                                                     | `node-role.kubernetes.io/master:NoSchedule`                                                                                               |
+| `scc.create`                                    | Create OpenShift's Security Context Constraint                                                                     | `true` 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

diff --git a/falco/templates/securitycontextconstraints.yaml b/falco/templates/securitycontextconstraints.yaml
@@ -0,0 +1,45 @@
+{{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: |
+      This provides the minimum requirements Falco to run in Openshift.
+  name: {{ template "falco.fullname" . }}
+  labels:
+    app: {{ template "falco.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: []
+allowedUnsafeSysctls: []
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 0
+readOnlyRootFilesystem: false
+requiredDropCapabilities: []
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+- '*'
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ template "falco.serviceAccountName" .}}
+volumes:
+- hostPath
+- emptyDir
+- secret
+- configMap
+{{- end }}
diff --git a/falco/values.yaml b/falco/values.yaml
@@ -337,3 +337,7 @@ integrations:
 tolerations:
   - effect: NoSchedule
     key: node-role.kubernetes.io/master
+
+scc:
+  # true here enabled creation of Security Context Constraints in Openshift
+  create: true