Update to match the IBP official YAML files (#595)

Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
IBM-Blockchain · Mar 17, 2022 · 44596c4 · 44596c4
1 parent 4be3e90
commit 44596c4
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/roles/console/templates/k8s/cluster_role.yml.j2 b/roles/console/templates/k8s/cluster_role.yml.j2
@@ -6,6 +6,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: "{{ cluster_role }}"
+  labels:
+  release: "operator"
+  helm.sh/chart: "ibm-ibp"
+  app.kubernetes.io/name: "ibp"
+  app.kubernetes.io/instance: "ibp"
+  app.kubernetes.io/managed-by: "ibp-operator"
 rules:
 - apiGroups:
   - extensions

diff --git a/roles/console/templates/k8s/cluster_role_binding.yml.j2 b/roles/console/templates/k8s/cluster_role_binding.yml.j2
@@ -6,6 +6,12 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: "{{ cluster_role_binding }}"
+  labels:
+    release: "operator"
+    helm.sh/chart: "ibm-ibp"
+    app.kubernetes.io/name: "ibp"
+    app.kubernetes.io/instance: "ibp"
+    app.kubernetes.io/managed-by: "ibp-operator"
 subjects:
 - kind: ServiceAccount
   name: "{{ service_account }}"

diff --git a/roles/console/templates/openshift/security_context_constraints.yml.j2 b/roles/console/templates/openshift/security_context_constraints.yml.j2
@@ -6,11 +6,11 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: "{{ security_context_constraints }}"
-allowHostDirVolumePlugin: true
-allowHostIPC: true
-allowHostNetwork: true
-allowHostPID: true
-allowHostPorts: true
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
 allowedCapabilities:
@@ -20,15 +20,13 @@ allowedCapabilities:
 - SETGID
 - SETUID
 - FOWNER
-defaultAddCapabilities: null
+defaultAddCapabilities: []
 fsGroup:
   type: RunAsAny
 groups:
-- system:cluster-admins
-- system:authenticated
 - system:serviceaccounts:{{ project }}
 readOnlyRootFilesystem: false
-requiredDropCapabilities: null
+requiredDropCapabilities: []
 runAsUser:
   type: RunAsAny
 seLinuxContext: