diff options
author | Suren A. Chilingaryan <csa@suren.me> | 2018-03-01 21:15:50 +0100 |
---|---|---|
committer | Suren A. Chilingaryan <csa@suren.me> | 2018-03-01 21:15:50 +0100 |
commit | 69adb23c59e991ddcabf5cfce415fd8b638dbc1a (patch) | |
tree | 8693e708f751923f6f7f9dd48004303bebb4e126 /setup/configs | |
parent | 1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 (diff) | |
download | ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.gz ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.bz2 ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.xz ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.zip |
Improve handling of filesystem permissions and other fixes
Diffstat (limited to 'setup/configs')
-rw-r--r-- | setup/configs/security.yml | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/setup/configs/security.yml b/setup/configs/security.yml index b870c55..22784b3 100644 --- a/setup/configs/security.yml +++ b/setup/configs/security.yml @@ -1,26 +1,36 @@ -ands_openshift_gid_mode: - ands_default: "MustRunAs" -# sample: "RunAsAny" - -#ands_openshift_uid_mode: -# ands_default: "MustRunAsRange" +#The SCC is global, not per project. +# It is better to work with groups. +#ands_openshift_uid_mode: "MustRunAsRange" +# Allow setting the required fsGroup in pod-specification (default is MustRunAs). +# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail. +# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group). +# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph). +# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'. +# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected. +# - gid=0 is also always in +# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing. +#ands_openshift_gid_mode: "RunAsAny" +#To enforce the range specified in the project configuration. +# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected. +ands_openshift_groups_mode: "MustRunAs" #ands_openshift_uid_ranges: ands_openshift_gid_ranges: kaas: "4000/10" katrin: "5000/10" - test: "7100/10" adei: "6000/10" bora: "6100/10" web: "6200/10" mon: "7000/10" + test: "7100/10" +# The default user and group mentioned in some projects ands_openshift_uids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_openshift_gids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_default_file_group: root ands_default_file_owner: root |