Explicitly request "use" verb on SCC (#1458)

In order to notify pod-security.kubernetes.io that we intent to create (potentially privileged) SCCs, so it labels us as "privileged", we have to explicitly request "use" verb for scc. With this change, CNAO's namespace is marked as pod-security.kubernetes.io/enforce: priviledged even before we deploy any of our privileged components. This assures that CNAO does not show up in audit logs. Signed-off-by: Petr Horáček <[email protected]> Signed-off-by: Petr Horáček <[email protected]> Co-authored-by: Petr Horáček <[email protected]>
kubevirt · Nov 22, 2022 · 75c60c7 · 75c60c7
1 parent eb4630f
commit 75c60c7
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/pkg/components/components.go b/pkg/components/components.go
@@ -394,6 +394,7 @@ func GetClusterRole() *rbacv1.ClusterRole {
 					"get",
 					"list",
 					"watch",
+					"use",
 				},
 			},
 			{