WZ-62986

EladGabay · EladGabay · commit b63f4653a21f · 2025-03-23T19:18:57.000+02:00
Add namespace to serviceaccount
Add openshift to values.yaml
Add SecurityContextConstraints
Modify deployment to use "privileged: true" when
installing on openshift
diff --git a/wiz-outpost-lite/templates/deployment.yaml b/wiz-outpost-lite/templates/deployment.yaml
@@ -143,6 +143,9 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
+            {{- if .Values.openshift }}
+            privileged: true
+            {{- end }}
             capabilities:
               add:
               - SYS_ADMIN
diff --git a/wiz-outpost-lite/templates/openshift.yaml b/wiz-outpost-lite/templates/openshift.yaml
@@ -0,0 +1,41 @@
+{{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }}
+{{- with merge $values (omit $ "Values") }}
+{{- if and .Values.openshift (eq .runner "container-registry") -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "wiz-outpost-lite.fullname" . }}-scc
+  labels: {{- include "wiz-outpost-lite.labels" . | nindent 4 }}
+allowHostDirVolumePlugin: true
+allowPrivilegedContainer: true
+readOnlyRootFilesystem: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+requiredDropCapabilities: null
+groups: []
+priority: 0
+allowedCapabilities:
+  - SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+seccompProfiles:
+  - '*'
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:sa-{{ .runner }}
+volumes:
+  - downwardAPI
+  - emptyDir
+  - hostPath
+  - secret
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/wiz-outpost-lite/templates/serviceaccount.yaml b/wiz-outpost-lite/templates/serviceaccount.yaml
@@ -5,6 +5,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sa-{{ .runner }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "wiz-outpost-lite.labels" . | nindent 4 }}
 ---
diff --git a/wiz-outpost-lite/values.yaml b/wiz-outpost-lite/values.yaml
@@ -71,6 +71,10 @@ httpProxyConfiguration:
 
 terminationGracePeriodSeconds: 30
 
+# Use when installing on OpenShift clusters to create a SecurityContextConstraint for our service-account
+openshift: false
+
+# Use when installing on OpenShift clusters to create a Service Account for the SecurityContextConstraint
 serviceAccount:
     create: false
 
