Merge branch 'master' into mbruzek-openshift-openstack

1 files changed, 42 insertions, 0 deletions

diff --git a/roles/contiv/templates/etcd-scc.yml.j2 b/roles/contiv/templates/etcd-scc.yml.j2
new file mode 100644
index 000000000..6c4bb1d1e
--- /dev/null
+++ b/roles/contiv/templates/etcd-scc.yml.j2
@@ -0,0 +1,42 @@
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities: []
+allowedFlexVolumes: []
+apiVersion: v1
+defaultAddCapabilities: []
+fsGroup:
+  ranges:
+  - max: "{{ contiv_etcd_system_gid }}"
+    min: "{{ contiv_etcd_system_gid }}"
+  type: MustRunAs
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: 'For contiv-etcd only.'
+  creationTimestamp: null
+  name: contiv-etcd
+priority: null
+readOnlyRootFilesystem: true
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SETUID
+- SETGID
+runAsUser:
+  type: MustRunAs
+  uid: "{{ contiv_etcd_system_uid }}"
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: MustRunAs
+users:
+- system:serviceaccount:kube-system:contiv-etcd
+volumes:
+- emptyDir
+- hostPath
+- secret