Security context constraint

The HSTS operator automatically creates a Security Context Constraint (SCC) for the instance. This SCC is the same as the OpenShift restricted SCC, except that hostPorts is enabled, which is required for HSTS networking.

The HSTS operator creates a custom SecurityContextContstraint (SCC) called ibm-aspera-hsts-restricted-hostport on instantiation of an instance. This SCC is bound to the instance's ServiceAccount using RBAC. The SCC ibm-aspera-hsts-restricted-hostport is identical to the default restricted SCC included in OpenShift 4.4 except for the allowHostPorts setting, which is enabled.

kind: SecurityContextConstraints
allowHostPorts: true
requiredDropCapabilities:
  - KILL
  - MKNOD
  - SETUID
  - SETGID
allowPrivilegedContainer: false
runAsUser:
  type: MustRunAsRange
users: []
allowHostDirVolumePlugin: false
allowHostIPC: false
seLinuxContext:
  type: MustRunAs
readOnlyRootFilesystem: false
metadata:
  annotations:
    kubernetes.io/description: >-
      denies access to all host features except hostport and requires pods to be
      run with a UID, and SELinux context that are allocated to the namespace.
  name: ibm-aspera-hsts-restricted-hostport
fsGroup:
  type: MustRunAs
groups: []
defaultAddCapabilities: null
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: true
apiVersion: security.openshift.io/v1
allowedCapabilities: null