OpenShift SCC in declarative form

[errordeveloper]

Currently OpenShift docs have this:

for i in ${!FLUX_CONTROLLERS[@]}; do
  oc adm policy add-scc-to-user nonroot system:serviceaccount:${FLUX_NAMESPACE}:${FLUX_CONTROLLERS[$i]}
done

This can be expressed as a role:

apiVersion: "rbac.authorization.k8s.io/v1"
kind:       "ClusterRole"
metadata: name: string
rules: {
	apiGroups: [
		"security.openshift.io",
	]
	resources: [
		"securitycontextconstraints",
	]
	resourceNames: [
		"nonroot",
	]
	verbs: [
		"use",
	]
}

I based the above on something I wrote for Cilium here: https://github.com/cilium/cilium-olm/blob/d595d9b949ee9eab66968cd5e32636bb79f2fe9d/config/operator/rbac.cue#L50-L66

Happy to make a PR to the docs with an expanded YAML version once I have a bit of time.

[stefanprodan]

Hey @errordeveloper so with this cluster role instead of running a command for each controller SA, people can just do a kubectl apply? If so then I think it's a great UX improvement.

[errordeveloper]

@stefanprodan exactly :)

[stefanprodan]

@errordeveloper can you please post on #4625 the exact YAML that would work for Flux?

[jack-evans]

Could this be something flux does on bootstrap?

[stefanprodan]

Adding that SCC YAML to the repo before bootstrap should be straight forward https://fluxcd.io/flux/installation/configuration/boostrap-customization/