QuickNote: Deploying on ICP 3.1.1 and you don't know what you are doing.

ICP 3.1.1 is locked down.

I used the following PSP to remove all the locked down settings. Please only use this for POC and POTs, and be aware you are weakening your environment.

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  name: ibm-unrestricted
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  allowedUnsafeSysctls:
  - '*'
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 0
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

By Chris Phillips on January 11, 2019.

Canonical link

Exported from Medium on April 6, 2019.

Chris Phillips’ Blog - API, Integration and Governance

Home

About

Search

Categories

Guest Authors

QuickNote: Deploying on ICP 3.1.1 and you don't know what you are doing.

ABOUT	APICONNECT	API	DATAPOWER	OPENSHIFT	EVENTSTREAMS	INTEGRATION	DAY2-OPS	ACE
*All opinions expressed here are very much my own or of the author of the article, not those of IBM. All Code provided is provide as is with no support unless otherwise stated.*