From 69adb23c59e991ddcabf5cfce415fd8b638dbc1a Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Thu, 1 Mar 2018 21:15:50 +0100 Subject: Improve handling of filesystem permissions and other fixes --- setup/configs/security.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'setup/configs/security.yml') diff --git a/setup/configs/security.yml b/setup/configs/security.yml index b870c55..22784b3 100644 --- a/setup/configs/security.yml +++ b/setup/configs/security.yml @@ -1,26 +1,36 @@ -ands_openshift_gid_mode: - ands_default: "MustRunAs" -# sample: "RunAsAny" - -#ands_openshift_uid_mode: -# ands_default: "MustRunAsRange" +#The SCC is global, not per project. +# It is better to work with groups. +#ands_openshift_uid_mode: "MustRunAsRange" +# Allow setting the required fsGroup in pod-specification (default is MustRunAs). +# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail. +# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group). +# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph). +# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'. +# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected. +# - gid=0 is also always in +# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing. +#ands_openshift_gid_mode: "RunAsAny" +#To enforce the range specified in the project configuration. +# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected. +ands_openshift_groups_mode: "MustRunAs" #ands_openshift_uid_ranges: ands_openshift_gid_ranges: kaas: "4000/10" katrin: "5000/10" - test: "7100/10" adei: "6000/10" bora: "6100/10" web: "6200/10" mon: "7000/10" + test: "7100/10" +# The default user and group mentioned in some projects ands_openshift_uids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_openshift_gids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_default_file_group: root ands_default_file_owner: root -- cgit v1.2.3