@@ -6,7 +6,7 @@ description: Learn about deploying Coder in OpenShift Container Platform
66This deployment guide shows you how to customize your [ OpenShift Container
77Platform] cluster in order to deploy Coder. The OpenShift Container Platform
88includes default security features, notably the ` restricted ` [ Security Context
9- Constraint] , which can interfere with applications, including Coder.
9+ Constraint] (SCC) , which can interfere with applications, including Coder.
1010
1111This guide describes customizations to the OpenShift cluster as well as Coder
1212that ensure an optimal user experience.
@@ -19,12 +19,71 @@ that ensure an optimal user experience.
1919- An OpenShift cluster with a Project (Kubernetes namespace) for Coder
2020- OpenShift command-line tools (` oc ` and ` kubectl ` )
2121
22+ ## Modify pod and container security contexts
23+
24+ OpenShift's SCC feature enforces particular settings that applications must
25+ run with. The default ` restricted ` SCC requires that applications run as a user
26+ within a project-specific range (` MustRunAsRange ` ) and must not define a
27+ seccomp profile.
28+
29+ You can view the restrictions using ` oc describe scc restricted ` :
30+
31+ ``` console
32+ $ oc describe scc restricted
33+ Name: restricted
34+ Priority: <none>
35+ Access:
36+ Users: <none>
37+ Groups: system:authenticated
38+ Settings:
39+ Allow Privileged: false
40+ Allow Privilege Escalation: true
41+ Default Add Capabilities: <none>
42+ Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
43+ Allowed Capabilities: <none>
44+ Allowed Seccomp Profiles: <none>
45+ Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
46+ Allowed Flexvolumes: <all>
47+ Allowed Unsafe Sysctls: <none>
48+ Forbidden Sysctls: <none>
49+ Allow Host Network: false
50+ Allow Host Ports: false
51+ Allow Host PID: false
52+ Allow Host IPC: false
53+ Read Only Root Filesystem: false
54+ Run As User Strategy: MustRunAsRange
55+ UID: <none>
56+ UID Range Min: <none>
57+ UID Range Max: <none>
58+ SELinux Context Strategy: MustRunAs
59+ User: <none>
60+ Role: <none>
61+ Type: <none>
62+ Level: <none>
63+ FSGroup Strategy: MustRunAs
64+ Ranges: <none>
65+ Supplemental Groups Strategy: RunAsAny
66+ Ranges: <none>
67+ ```
68+
69+ You can override the default settings by defining the following in your Helm
70+ Values file:
71+
72+ ``` yaml
73+ coderd :
74+ podSecurityContext :
75+ runAsUser : null
76+ seccompProfile : null
77+ securityContext :
78+ seccompProfile : null
79+ ` ` `
80+
2281## Option 1: Add the environments service account to anyuid or nonroot
2382
2483Coder's default base images for workspaces, such as ` enterprise-base`, run as
2584the `coder` user (UID 1000). By default, the OpenShift platform does not
26- allow running with this user, as service accounts use the ` restricted ` Security
27- Context Constraint by default, and must run with a project-specific UID.
85+ allow running with this user, as service accounts use the `restricted` SCC by
86+ default, and must run with a project-specific UID.
2887
2988Coder creates workspaces in pods with the service account `environments`, and
3089we recommend adding this service account to the `anyuid` or `nonroot` Security
0 commit comments