firezone-gateway/firezone-gateway-scc.yaml

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: firezone-gateway-scc
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_ADMIN
allowHostDirVolumePlugin: false
allowHostNetwork: false
allowHostPorts: false
allowHostPID: false
allowHostIPC: false
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
fsGroup:
  type: MustRunAs
supplementalGroups:
  type: MustRunAs
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
allowedUnsafeSysctls:
  - net.ipv4.ip_forward
  - net.ipv4.conf.all.src_valid_mark
  - net.ipv6.conf.all.disable_ipv6
  - net.ipv6.conf.all.forwarding
  - net.ipv6.conf.default.forwarding
Add firezone-gateway-scc.yaml 2025-02-19 23:10:11 +00:00			`apiVersion: security.openshift.io/v1`
			`kind: SecurityContextConstraints`
			`metadata:`
			`name: firezone-gateway-scc`
			`allowPrivilegedContainer: false`
			`allowedCapabilities:`
			`- NET_ADMIN`
			`allowHostDirVolumePlugin: false`
			`allowHostNetwork: false`
			`allowHostPorts: false`
			`allowHostPID: false`
			`allowHostIPC: false`
			`readOnlyRootFilesystem: false`
			`requiredDropCapabilities:`
			`- ALL`
			`runAsUser:`
			`type: RunAsAny`
			`seLinuxContext:`
			`type: MustRunAs`
			`fsGroup:`
			`type: MustRunAs`
			`supplementalGroups:`
			`type: MustRunAs`
			`volumes:`
			`- configMap`
			`- downwardAPI`
			`- emptyDir`
			`- persistentVolumeClaim`
			`- projected`
			`- secret`
			`allowedUnsafeSysctls:`
			`- net.ipv4.ip_forward`
			`- net.ipv4.conf.all.src_valid_mark`
			`- net.ipv6.conf.all.disable_ipv6`
			`- net.ipv6.conf.all.forwarding`
			`- net.ipv6.conf.default.forwarding`